Skip to main content

Apollo ConfigService CVE-2026-59954

| EUVDEUVD-2026-44725 HIGH
Improper Input Validation (CWE-20)
2026-07-13 https://github.com/apolloconfig/apollo GHSA-4w3q-qpfq-v992
7.5
CVSS 3.1 · Vendor: https://github.com/apolloconfig/apollo
Share

Severity by source

Vendor (https://github.com/apolloconfig/apollo) PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
5.9 MEDIUM

Network and unauthenticated (AV:N/PR:N), but AC:H because success depends on a non-default equivalence-treating DB collation and knowing the appId; confidentiality-only read (C:H, I:N/A:N).

3.1 AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:H/AT:P/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (https://github.com/apolloconfig/apollo).

CVSS VectorVendor: https://github.com/apolloconfig/apollo

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

4
Patch available
Jul 15, 2026 - 21:18 EUVD
Source Code Evidence Fetched
Jul 13, 2026 - 19:24 vuln.today
Analysis Generated
Jul 13, 2026 - 19:24 vuln.today
CVE Published
Jul 13, 2026 - 18:26 github-advisory
HIGH 7.5

DescriptionCVE.org

Summary

Apollo ConfigService may allow unauthorized access to configuration data when AccessKey / management key authentication is enabled and ConfigService accepts a non-canonical appId variant during authentication while downstream request handling resolves it to the protected app.

Details

ConfigService extracts appId from configuration and notification requests and uses the extracted value to look up available AccessKey secrets. If the extracted appId is a non-canonical variant that does not exactly match the AccessKey cache key, ConfigService may treat the request as having no available secrets and allow it to continue without signature verification.

This can happen when downstream release lookup still matches the real appId under database collations that treat the values as equivalent. Examples include accent variants under accent-insensitive collations, or trailing-space variants under PAD SPACE collations.

Impact

An unauthenticated remote attacker may read configuration data from affected ConfigService endpoints when AccessKey / management key authentication is enabled for the target app and the deployment database collation treats a non-canonical appId variant as equivalent to the real appId.

Affected endpoints

The primary impact is on ConfigService configuration read endpoints under /configs and /configfiles. Notification endpoints using appId parameters are also hardened as defense-in-depth.

Status

Fixed in Apollo 2.5.2. Users should upgrade to Apollo 2.5.2 or later.

Related advisory

The raw config file endpoint parsing issue originally described in this advisory has been split into GHSA-h4pc-58cc-hc95 so each independently fixable vulnerability can receive its own CVE.

AnalysisAI

Authentication bypass in Apollo (Ctrip apolloconfig) ConfigService allows an unauthenticated remote attacker to read protected configuration data from /configs and /configfiles endpoints even when AccessKey/management-key authentication is enabled. The flaw stems from ConfigService accepting a non-canonical appId variant (e.g. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Identify target ConfigService endpoint
Delivery
Enumerate protected appId
Exploit
Craft non-canonical appId variant
Install
Send unauthenticated request to /configs
C2
Auth check skips signature verification
Execute
Collation resolves variant to real app
Impact
Read protected configuration data

Vulnerability AssessmentAI

Exploitation Exploitation requires that AccessKey/management-key authentication is enabled for the target app (the very control being bypassed) AND that the deployment's backing database uses a collation that treats a non-canonical appId variant as equivalent to the canonical appId - specifically accent-insensitive collations (accent-variant appIds) or PAD SPACE collations such as MySQL utf8_general_ci (trailing-space appId variants). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N, 7.5 High) presents a network, unauthenticated, low-complexity confidentiality breach, which overstates real-world ease: the description makes clear that exploitation is conditional on (1) AccessKey/management-key authentication actually being enabled for the target app, and (2) the deployment's database collation treating a non-canonical appId variant as equivalent to the real one. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who knows the protected appId of a target Apollo deployment (e.g. 'orders-service') sends an unauthenticated GET to the ConfigService /configs endpoint using a non-canonical variant such as a trailing-space or accented form of that appId. …
Remediation Vendor-released patch: Apollo 2.5.2 - upgrade apollo-configservice, then apollo-adminservice, then apollo-portal in that order (per the v2.5.2 release notes at https://github.com/apolloconfig/apollo/releases/tag/v2.5.2; there is no schema change from 2.5.1 to 2.5.2, so it is a straightforward binary redeploy). … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: enumerate all Apollo ConfigService instances and assess network exposure; identify which configurations store secrets or sensitive credentials; apply firewall and security group rules to restrict access to trusted networks only. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2012-0217 HIGH POC
7.2 Jun 12

The x86-64 kernel system-call functionality in Xen 4.1.2 and earlier, as used in Citrix XenServer 6.0.2 and earlier and

CVE-2026-33309 CRITICAL POC
9.9 Mar 19

An authenticated path traversal vulnerability in Langflow's file upload functionality allows attackers to write arbitrar

CVE-2019-7304 CRITICAL POC
9.8 Apr 23

Canonical snapd before version 2.37.1 incorrectly performed socket owner validation, allowing an attacker to run arbitra

CVE-2026-33186 CRITICAL POC
9.1 Mar 18

An authorization bypass vulnerability in gRPC-Go allows attackers to circumvent path-based access control by sending HTT

CVE-2026-50180 HIGH POC
8.7 Jul 02

Arbitrary file read in Langroid's SQLChatAgent (<= 0.63.0) lets an attacker who can influence the LLM-generated SQL exfi

CVE-2020-14966 HIGH POC
7.5 Jun 22

An issue was discovered in the jsrsasign package through 8.0.18 for Node.js. Rated high severity (CVSS 7.5), this vulner

CVE-2020-13822 HIGH POC
7.7 Jun 04

The Elliptic package 6.5.2 for Node.js allows ECDSA signature malleability via variations in encoding, leading '\0' byte

CVE-2026-29181 HIGH POC
7.5 Apr 07

Resource exhaustion in OpenTelemetry Go propagation library (v1.41.0 and earlier) enables remote attackers to trigger se

CVE-2019-7303 HIGH POC
7.5 Apr 23

A vulnerability in the seccomp filters of Canonical snapd before version 2.37.4 allows a strict mode snap to insert char

CVE-2014-4699 MEDIUM POC
6.9 Jul 09

The Linux kernel before 3.15.4 on Intel processors does not properly restrict use of a non-canonical value for the saved

CVE-2017-7725 MEDIUM POC
6.1 Apr 13

concrete5 8.1.0 places incorrect trust in the HTTP Host header during caching, if the administrator did not define a "ca

CVE-2026-48816 MEDIUM POC
6.5 Jul 01

Timestamp forgery in sigstore-js allows an attacker supplying a crafted bundle v0.2 to manipulate certificate validity w

Share

CVE-2026-59954 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy