Which versions of Kanidm are affected by EUVD-2026-36133?

Kanidm identity management server prior to version 1.9.3 is vulnerable to unauthenticated remote denial-of-service.. A patch is available.

How to fix or mitigate EUVD-2026-36133?

Within 24 hours: Inventory all Kanidm deployments and identify versions in use; implement firewall restrictions on /scim/v1/* endpoints if immediate patching is not feasible. Within 7 days: Upgrade all instances to Kanidm 1.9.3 or later; validate patch deployment in non-production first. Within 30 days: Monitor logs for malicious filter query patterns; remove temporary firewall rules post-patch; conduct incident response review.

Kanidm EUVD-2026-36133

Q: What is the CVSS score of EUVD-2026-36133?

EUVD-2026-36133 has a CVSS 4.0 base score of 8.7 (High). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.0%.

| CVE-2026-46689 HIGH

Uncaught Exception (CWE-248)

2026-06-10 GitHub_M

GHSA-r5fr-9gmv-jggh

Buffer Overflow Kanidm

8.7

CVSS 4.0 · Vendor: GitHub_M

Severity by source

Vendor (GitHub_M) PRIMARY

8.7 HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

vuln.today AI

7.5 HIGH

Single unauthenticated HTTP GET to a default-exposed SCIM endpoint crashes the daemon, giving AV:N/AC:L/PR:N/UI:N with only availability impact (A:H), no confidentiality or integrity loss, scope unchanged.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Lifecycle Timeline

Patch available

Jun 10, 2026 - 23:01 EUVD

Source Code Evidence Fetched

Jun 10, 2026 - 21:18 vuln.today

Analysis Generated

Jun 10, 2026 - 21:18 vuln.today

DescriptionCVE.org

Kanidm is an identity management platform. Prior to version 1.9.3, a single unauthenticated GET to any /scim/v1/... endpoint with a ?filter= query string of a few thousand nested parentheses (≈ 4-12 KB) drives the recursive-descent PEG parser past the worker thread's stack guard page. Rust responds to stack overflow with std::process::abort() - the entire kanidmd process exits. The parse runs inside axum's Query<ScimEntryGetQuery> extractor, before any handler body and therefore before any ACL check. This issue has been patched in version 1.9.3.

AnalysisAI

Unauthenticated remote denial-of-service in Kanidm identity management server versions prior to 1.9.3 allows any network attacker to crash the entire kanidmd daemon by sending a single GET request to any /scim/v1/* endpoint with a deeply nested parenthesised ?filter= query string. The recursive-descent PEG parser exhausts the worker thread's 2 MiB stack, triggering Rust's std::process::abort(). …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon

Identify exposed kanidmd /scim/v1 endpoint

Delivery

Craft GET with ~4-12 KB nested-parenthesis filter

Exploit

Send unauthenticated request

Install

Axum Query extractor invokes PEG parser

Recursive parse exhausts worker stack

Execute

Rust aborts kanidmd process

Impact

Identity provider outage disrupts dependent SSO