CVE-2026-11752

Name of the Vulnerable Software and Affected Versions armeria-xds versions 1.38.0 through 1.39.0

Description DataSourceStream in the xDS module resolves filename and environment variable fields from SDS Secret resources without an allow-list or base-directory confinement. This allows a compromised or semi-trusted xDS control plane, or an attacker performing a man-in-the-middle attack on SDS responses, to read arbitrary local files and environment variables on the xDS client host. This information disclosure can be used to exfiltrate sensitive data such as TLS private keys, system files, cloud credentials, and database tokens. The issue is located in the xds/src/main/java/com/linecorp/armeria/xds/DataSourceStream.java component.

Recommendations Update to version 1.40.0. Ensure the xDS control plane channel is authenticated and encrypted using mTLS to prevent the injection of malicious SDS responses. Run the xDS client with minimal filesystem permissions and a restricted environment to limit the impact of arbitrary reads. Use inline DataSource bytes delivered over the SDS stream instead of file-based secrets and audit control-plane configurations to ensure no filename or environment variable DataSources are present.