Skip to main content

Feast Feature Server CVE-2026-23537

| EUVDEUVD-2026-40997 CRITICAL
Missing Authorization (CWE-862)
2026-07-01 redhat GHSA-4m9c-5f58-453x
9.1
CVSS 3.1 · Vendor: redhat
Share

Severity by source

Vendor (redhat) PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
vuln.today AI
9.1 CRITICAL

Unauthenticated network endpoint with bypassable path checks gives AV:N/AC:L/PR:N; arbitrary write yields I:H and disk-exhaustion A:H, with no read so C:N.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (redhat).

CVSS VectorVendor: redhat

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
High

Lifecycle Timeline

2
Patch available
Jul 01, 2026 - 16:01 EUVD
Analysis Generated
Jul 01, 2026 - 14:53 vuln.today

DescriptionCVE.org

A vulnerability has been identified in the Feast Feature Server’s /save-document endpoint that allows an unauthenticated remote attacker to write arbitrary JSON files to the server's filesystem. Although the system attempts to restrict file locations, these protections can be bypassed, enabling an attacker to overwrite vital application configurations or startup scripts. Because this flaw requires no credentials or special privileges, any attacker with network access to the server can potentially compromise the integrity of the system. This could lead to unauthorized system modifications, denial of service through disk exhaustion, or potential remote code execution.

AnalysisAI

Arbitrary file write in the Feast Feature Server's /save-document endpoint lets an unauthenticated remote attacker write attacker-controlled JSON to the host filesystem, bypassing the endpoint's path restrictions to overwrite application configuration or startup scripts. Because no credentials are required (CVSS 9.1, PR:N), any network-reachable attacker can corrupt system integrity, cause denial of service through disk exhaustion, or potentially achieve remote code execution. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach exposed Feature Server endpoint
Delivery
Send crafted /save-document request
Exploit
Bypass path restriction guardrails
Execution
Overwrite config or startup script
Persist
Trigger reload or restart
Impact
Integrity loss, DoS, or code execution

Vulnerability AssessmentAI

Exploitation Exploitation requires network reachability to the Feast Feature Server's HTTP `/save-document` endpoint, and nothing more: no credentials, tokens, or user interaction (AV:N/AC:L/PR:N/UI:N). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The signals align on high priority: the CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N) describes a network-reachable, low-complexity, unauthenticated write with high integrity and availability impact (C:N/I:H/A:H), scoring 9.1. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who can reach the Feature Server over the network sends a crafted HTTP request to `/save-document` with a manipulated file path that bypasses the location restrictions, writing a malicious JSON file over an application config or startup script. On the next service restart or config reload the tampered file is consumed, degrading integrity, exhausting disk, or executing attacker-influenced logic. …
Remediation Upstream fix available (PR/commit); released patched version not independently confirmed - the code fix is tracked in https://github.com/red-hat-data-services/feast/pull/192, and Red Hat OpenShift AI users should consult https://access.redhat.com/security/cve/CVE-2026-23537 and bug https://bugzilla.redhat.com/show_bug.cgi?id=2429304 for the RHOAI errata and exact fixed release once published. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all Feast Feature Server instances and assess network exposure; determine if any RHOAI deployments are impacted. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-23537 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy