CVE-2026-42303

Name of the Vulnerable Software and Affected Versions Fides versions 2.75.0 through 2.83.1

Description Deployments that enable both subject identity verification and duplicate privacy request detection are susceptible to an issue where an administrator can approve a privacy request without the identity ever being verified. This occurs when duplicate detection classifies a request as a duplicate before verification; the administrative interface then presents the request with approval options, potentially leading an administrator to approve it during routine triage. An unauthenticated attacker can exploit this by submitting two requests using a target's email address without completing the OTP verification, causing the second request to be marked as a duplicate and become approvable. For erasure policies, this can lead to the unauthorized deletion of a data subject's records across all configured integrations. Additionally, versions 2.82.0 through 2.83.1 contain a denial-of-service issue where an unauthenticated attacker can prevent a legitimate data subject from completing identity verification on a request classified as a duplicate. The issue is active when both subject identity verification required and privacy request duplicate detection.enabled are set to true.

Recommendations Update to version 2.83.2 or later. As a temporary workaround, disable duplicate detection by setting the privacy request duplicate detection.enabled variable to false. Administrators should deny or delete any privacy request whose identity has not been verified instead of approving it.