CVE-2026-0650

CVSS v4.0

9.3

Critical

Vector

AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Name of the Vulnerable Software and Affected Versions OpenFlagr versions prior to and including 1.1.18

Description The software contains an authentication bypass issue in the HTTP middleware. Improper path normalization within the whitelist logic allows crafted requests to bypass authentication, granting access to protected API endpoints without valid credentials. This unauthorized access could potentially allow modification of feature flags and the export of sensitive data.

Recommendations Update to a version later than 1.1.18.

Exploit

Fix

Missing Authentication

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-425CWE-306

Related Identifiers

CVE-2026-0650

GHSA-RWP9-5G7Q-73Q3

GO-2026-4286

SUSE-SU-2026:0142-1

Affected Products

Openflagr

CVE-2026-0650

Weakness Enumeration

Related Identifiers

Affected Products

References · 48