Skip to main content

Ethyca Fides CVE-2026-42303

MEDIUM
Authentication Bypass Using an Alternate Path or Channel (CWE-288)
2026-05-05 https://github.com/ethyca/fides GHSA-qx5f-ghc2-7g5c
6.1
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:H/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
X

Lifecycle Timeline

3
CVSS changed
May 12, 2026 - 18:22 NVD
6.1 (MEDIUM)
Source Code Evidence Fetched
May 05, 2026 - 21:45 vuln.today
Analysis Generated
May 05, 2026 - 21:45 vuln.today

DescriptionGitHub Advisory

Summary

Fides deployments that enable both subject identity verification and duplicate privacy request detection are affected by a vulnerability in which an administrator can approve a privacy request whose identity was never verified. For erasure policies, this can result in unauthorized deletion of a data subject's records across every integration configured in the affected deployment.

A related lower-severity denial-of-service issue, in which an unauthenticated attacker could prevent a legitimate data subject from completing their own privacy requests, is also patched in the fix for this vulnerability.

Am I affected?

This vulnerability only affects deployments that use Fides's privacy request (data subject request) features, also known collectively as "Lethe". Deployments that do not submit, process, or manage privacy requests through Fides are not affected.

Within deployments that do use privacy request features, your deployment is affected if both of the following settings are effectively set to true:

  • subject_identity_verification_required
  • privacy_request_duplicate_detection.enabled

Both settings default to false.

Each setting can be configured in multiple places. If the same setting is configured in more than one place, Fides resolves conflicts in the following precedence order, highest priority first:

  1. Admin UI / configuration API - stored in the application database and applied at runtime
  2. Environment variables - read at webserver startup
  3. fides.toml - read at webserver startup
  4. Default value - used if none of the above set the value

To determine whether your deployment is affected, check each setting in every location that applies to your configuration management.

subject_identity_verification_required

  • fides.toml: under the [execution] section as subject_identity_verification_required = true
  • Environment variable: FIDES__EXECUTION__SUBJECT_IDENTITY_VERIFICATION_REQUIRED=true
  • No Admin UI control - this setting is not exposed through the Admin UI and cannot be set via the configuration API

privacy_request_duplicate_detection.enabled

  • fides.toml: under the [privacy_request_duplicate_detection] section as enabled = true
  • Environment variable: FIDES__PRIVACY_REQUEST_DUPLICATE_DETECTION__ENABLED=true
  • Admin UI: Settings → Privacy requests → Duplicate detection, via the "Enable duplicate detection" toggle. The toggle reflects only values set through the Admin UI or configuration API. A value set via fides.toml or environment variable will not appear here.

<figure> <img width="1392" height="940" alt="GHSA - Duplicate Detection Enabled" src="https://github.com/user-attachments/assets/e384f273-ce68-403c-adb2-93536eca5f3a" /> <figcaption> <em> The "Enable duplicate detection" toggle when it's enabled, under Settings → Privacy requests in the Admin UI. </em> </figcaption> </figure>

Details

When duplicate detection classifies a privacy request as a duplicate before its identity has been verified, the administrative interface presents that request with Approve, Deny, and Delete options. An administrator performing routine duplicate request triage may approve such a request without realising the identity was never verified. The request is then processed as if verification had succeeded.

An attacker exploits this by submitting two privacy requests using a target's email address, never completing the OTP verification. The second request is classified as a duplicate and becomes approvable through the administrative interface.

The fix for this vulnerability also patches a lower-severity issue, present in versions 2.82.0 through 2.83.1, in which a legitimate data subject could not complete identity verification on a privacy request that had been classified as a duplicate, allowing an unauthenticated attacker to block that data subject from exercising their privacy rights through the affected deployment.

Impact

An unauthenticated attacker who knows a target's email address and can reach the public Privacy Center can cause an erasure privacy request to be approved by an administrator and processed without identity verification. The result is unauthorized deletion of the data subject's records across every integration configured in the affected deployment. Effects may be permanent and may cascade into downstream systems.

Access privacy requests are a less meaningful vector: the resulting access package is delivered to the data subject's registered email address, not to the attacker, so the attacker does not gain the data. The request still represents unauthorized processing.

Patches

The vulnerabilities have been patched in Fides OSS version 2.83.2. Users are advised to upgrade to this version or later to secure their systems against these threats.

Fides Enterprise (fidesplus) version 2.83.2 contains the same patch.

Workarounds

Disable duplicate detection by setting privacy_request_duplicate_detection.enabled to false. This can be changed under Settings → Privacy Requests → Duplicate detection in the Admin UI). This fully mitigates the vulnerability and is the recommended interim workaround for deployments that cannot immediately upgrade.

<figure> <p> <img width="1392" height="880" alt="GHSA - Disable Duplicate Detection" src="https://github.com/user-attachments/assets/fc0c87a1-7e40-4698-ba9e-e1721f591310" /> <figcaption> <em> The "Enable duplicate detection" toggle when it's disabled, under Settings → Privacy requests in the Admin UI. </em> </figcaption> <p> </figure>

Administrators of deployments that must retain duplicate detection should deny or delete, rather than approve, any privacy request whose identity has not been verified. This reduces the likelihood of exploitation but relies on administrator vigilance during each triage action.

<img width="1392" height="1044" alt="GHSA - Admin Approval of Unverified Privacy Request" src="https://github.com/user-attachments/assets/b2ad4940-40d3-468b-897e-8cca6ce4707e" /> <figcaption> <em> An administrator's view when approving an unverified privacy request in the Admin UI. </em> </figcaption> </figure>

Severity

This vulnerability has been assigned a severity of MEDIUM.

The rating reflects the fact that exploitation requires an administrator to approve the malicious request. An attacker alone cannot cause a privacy request to be processed. The administrative interface understates the verification state of a duplicate-classified request, which increases the likelihood of inadvertent approval during routine triage, but without administrator user interaction the vulnerability is not exploitable.

The related denial-of-service issue addressed in the same patch is also rated medium-severity in isolation and does not raise the overall severity of this advisory.

References

  • Fides OSS 2.83.2 release: https://github.com/ethyca/fides/releases/tag/2.83.2
  • Fix for the identity bypass vulnerability: PR #7972, commit e7a6527
  • Fix for the related denial-of-service issue: PR #7971, commit 0e320b2

AnalysisAI

Authentication bypass in Ethyca Fides allows administrators to unknowingly approve privacy erasure requests without identity verification when both subject identity verification and duplicate privacy request detection are enabled, resulting in unauthorized deletion of data subject records across all configured integrations. The vulnerability exploits a UI/UX flaw in the administrative interface that fails to clearly indicate unverified identity status on duplicate-classified requests, combined with a logic gap that processes unverified requests if approved by an admin. No public exploit code identified at time of analysis, but exploitation requires only an unauthenticated attacker with knowledge of a target's email address and access to the public Privacy Center.

Technical ContextAI

Fides is an open-source privacy engineering platform that implements data subject access request (DSAR) workflows through its 'Lethe' privacy request subsystem. The vulnerability resides in the interaction between two optional security features: subject identity verification (which requires OTP confirmation via email) and duplicate privacy request detection (which classifies subsequent requests from the same email as duplicates). The root cause is classified as CWE-288 (Authentication Bypass Using Alternative Route), specifically a missing authorization check or improper identity state tracking. When a privacy request is classified as a duplicate before OTP verification completes, the administrative interface permits approval without requiring the administrator to re-verify that identity has been established. The affected products are Fides OSS versions 2.75.0 through 2.83.1 (via CPE pkg:pip/ethyca-fides) and Fides Enterprise (fidesplus) versions in the same range. The vulnerability only manifests when both subject_identity_verification_required=true and privacy_request_duplicate_detection.enabled=true are simultaneously configured, which are both false by default.

RemediationAI

Upgrade to Fides OSS version 2.83.2 or later, or upgrade Fides Enterprise (fidesplus) to version 2.83.2 or later. The patch is confirmed by GitHub PR #7972 (commit e7a6527b0f9fdc9887b86a89bb5453e7421882dd) which adds identity verification state validation before request approval. See https://github.com/ethyca/fides/releases/tag/2.83.2 for the official release. If immediate upgrade is not possible, disable duplicate detection by setting privacy_request_duplicate_detection.enabled=false, which can be toggled in the Admin UI under Settings → Privacy Requests → Duplicate detection. This workaround completely eliminates the vulnerability but disables the ability to detect and manage duplicate requests, which may increase administrative overhead for organizations receiving repetitive requests. Administrators who must retain duplicate detection pending patch deployment should implement a mandatory verification procedure: deny or delete any privacy request for which the identity verification status is uncertain, rather than approving unverified requests during triage. This procedural control relies on consistent operator discipline and does not eliminate the UI/UX deception that makes the vulnerability exploitable.

Share

CVE-2026-42303 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy