VDB

CISA-2026-0650

CISA-2026-0650 PUBLISHED CVSS 9.3 CRITICAL

Reported by VulnCheck · Published January 7, 2026

OpenFlagr versions prior to and including 1.1.18 contain an authentication bypass vulnerability in the HTTP middleware. Due to improper handling of path normalization in the whitelist logic, crafted requests can bypass authentication and access protected API endpoints without valid credentials. Unauthorized access may allow modification of feature flags and export of sensitive data.

Risk Scores

CVSS 4.0
9.3
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Affected Products

VendorProductVersions
OpenFlagrFlagr0
OpenFlagrFlagr0, 0

Timeline

  • Jan 7, 2026 CVE Published
  • Jan 7, 2026 CVE Updated

References

  • release-notespatch
  • technical-descriptionexploit
  • third-party-advisory
Open in Interactive Console →
$ Console Community · 100/wk Open console ›