Skip to main content

OpenFlagr CVE-2026-0650

CRITICAL
Missing Authentication for Critical Function (CWE-306)
2026-01-07 disclosure@vulncheck.com GHSA-rwp9-5g7q-73q3
9.3
CVSS 4.0 · Vendor: vulncheck
Share

Severity by source

Vendor (vulncheck) PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
9.1 CRITICAL

Unauthenticated network request over the API (AV:N/AC:L/PR:N/UI:N); data export gives C:H and flag modification gives I:H, but Flagr's own availability is not directly impacted, so A:N.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (vulncheck).

CVSS VectorVendor: vulncheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

8
Analysis Updated
Jul 14, 2026 - 16:47 vuln.today
v3 (cvss_changed)
Source Code Evidence Fetched
Jul 14, 2026 - 16:46 vuln.today
Analysis Updated
Jul 14, 2026 - 16:46 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 14, 2026 - 16:22 vuln.today
cvss_changed
CVSS changed
Jul 14, 2026 - 16:22 NVD
9.3 (CRITICAL)
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
Analysis Generated
Mar 12, 2026 - 21:54 vuln.today
CVE Published
Jan 07, 2026 - 12:17 nvd
N/A

DescriptionCVE.org

OpenFlagr versions prior to and including 1.1.18 contain an authentication bypass vulnerability in the HTTP middleware. Due to improper handling of path normalization in the whitelist logic, crafted requests can bypass authentication and access protected API endpoints without valid credentials. Unauthorized access may allow modification of feature flags and export of sensitive data.

AnalysisAI

Authentication bypass in OpenFlagr (the openflagr/flagr feature-flag service) versions up to and including 1.1.18 lets remote unauthenticated attackers reach protected API endpoints by exploiting flawed path normalization in the HTTP middleware's prefix whitelist. Attackers can read and modify feature flags and export sensitive configuration data with no credentials. A public technical writeup ('0day speedrun') exists, but there is no public exploit identified as weaponized and no active exploitation has been confirmed; EPSS is low at 0.13%.

Technical ContextAI

OpenFlagr is an open-source Go feature-flag management and evaluation service. The flaw is rooted in CWE-306 (Missing Authentication for Critical Function): the HTTP middleware maintains a whitelist of path prefixes that are allowed to skip authentication (typically evaluation/health endpoints), but the comparison is performed against a non-canonicalized request path. Because path normalization is applied inconsistently, a crafted URL (e.g. using traversal, encoded, or trailing segments that normalize to a protected path while matching a whitelisted prefix during the check) satisfies the whitelist test yet is routed to a protected handler. The upstream fix is PR #632 'Fix path check logic' by @zhouzhuojie, released in 1.1.19, which corrects how the middleware evaluates the path against the whitelist.

Affected ProductsAI

OpenFlagr (GitHub project openflagr/flagr) versions prior to and including 1.1.18 are affected; the flaw is fixed in 1.1.19 (https://github.com/openflagr/flagr/releases/tag/1.1.19). No CPE string was provided in the intelligence, so exact CPE matching could not be confirmed. Vendor/researcher advisory: VulnCheck (https://www.vulncheck.com/advisories/openflagr-authentication-bypass-via-prefix-whitelist-path-normalization). Any environment self-hosting a Flagr instance at 1.1.18 or earlier with the HTTP API reachable should be considered affected.

RemediationAI

Vendor-released patch: upgrade to OpenFlagr 1.1.19, which includes the corrected path-check logic (PR #632); see https://github.com/openflagr/flagr/releases/tag/1.1.19. This is the primary and recommended fix. If immediate upgrade is not possible, restrict network exposure of the Flagr API - place it behind a reverse proxy or gateway that enforces authentication independently, and limit access to the management/API endpoints to trusted internal networks or VPN only (trade-off: legitimate remote evaluation clients must be re-pointed through the enforced path). As a further compensating control, front the service with a WAF/proxy rule that canonicalizes and rejects requests containing path traversal or encoded separators before they reach Flagr's middleware (trade-off: rule tuning risk and possible false positives on legitimate encoded paths). Also review audit logs for unexpected flag changes or data exports predating the upgrade. Advisory references: VulnCheck advisory and the dreyand.rs technical writeup (https://dreyand.rs/code%20review/golang/2026/01/03/0day-speedrun-openflagr-less-1118-authentication-bypass).

Share

CVE-2026-0650 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy