VDB
CISA-2026-0650
CISA-2026-0650
PUBLISHED
CVSS 9.3 CRITICAL
Reported by VulnCheck · Published January 7, 2026
OpenFlagr versions prior to and including 1.1.18 contain an authentication bypass vulnerability in the HTTP middleware. Due to improper handling of path normalization in the whitelist logic, crafted requests can bypass authentication and access protected API endpoints without valid credentials. Unauthorized access may allow modification of feature flags and export of sensitive data.
Risk Scores
CVSS 4.0
9.3
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| OpenFlagr | Flagr | 0 |
| OpenFlagr | Flagr | 0, 0 |
Timeline
- Jan 7, 2026 CVE Published
- Jan 7, 2026 CVE Updated