CVE-2026-31866

Name of the Vulnerable Software and Affected Versions flagd versions prior to 0.14.2

Description flagd, a feature flag daemon, exposes OFREP ('/ofrep/v1/evaluate/...') and gRPC (evaluation.v1, evaluation.v2) endpoints for feature flag evaluation. These endpoints are designed for public access by client applications. The evaluation context within request payloads is read into memory without size limitations. An attacker can send a large HTTP request, causing flagd to allocate excessive memory, leading to process termination, such as an OOMKill in Kubernetes environments. flagd does not enforce authentication on its evaluation endpoints by default, and while operators may deploy it behind an authenticating reverse proxy, the endpoints themselves lack access control. The affected endpoints include: '/ofrep/v1/evaluate/flags/{flagKey}', '/ofrep/v1/evaluate/flags', flagd.evaluation.v1.Service/ResolveBoolean, flagd.evaluation.v1.Service/ResolveString, flagd.evaluation.v1.Service/ResolveFloat, flagd.evaluation.v1.Service/ResolveInt, flagd.evaluation.v1.Service/ResolveObject, flagd.evaluation.v1.Service/ResolveAll, flagd.evaluation.v2.Service/ResolveBoolean, flagd.evaluation.v2.Service/ResolveString, flagd.evaluation.v2.Service/ResolveFloat, flagd.evaluation.v2.Service/ResolveInt, flagd.evaluation.v2.Service/ResolveObject. This can lead to denial of service, service disruption, and repeated exploitation.

Recommendations Update flagd to version 0.14.2 or later.