GHSA-H4PC-58CC-HC95
Vulnerability from github – Published: 2026-07-13 18:37 – Updated: 2026-07-13 18:37Summary
Apollo ConfigService may allow unauthorized access to raw configuration data when AccessKey / management key authentication is enabled because authentication parsed the appId incorrectly for the raw config file endpoint.
Details
Requests under /configfiles/raw/{appId}/{clusterName}/{namespace} were parsed for authentication as appId "raw" instead of the actual path appId. ConfigService used the parsed appId to look up available AccessKey secrets before verifying the request signature.
If no AccessKey is configured for an application literally named "raw", ConfigService may treat the request as having no available secrets and allow it to continue without signature verification, even when AccessKey / management key authentication is enabled for the actual target appId in the path.
Impact
An unauthenticated remote attacker may read raw configuration data from affected ConfigService endpoints when AccessKey / management key authentication is enabled for the target app and the attacker requests the raw config file endpoint.
Affected endpoints
The primary impact is on ConfigService raw config file reads under /configfiles/raw/{appId}/{clusterName}/{namespace}.
Status
Fixed in Apollo 2.5.2. Users should upgrade to Apollo 2.5.2 or later.
Related advisory
The non-canonical appId matching issue is tracked separately in GHSA-4w3q-qpfq-v992 so each independently fixable vulnerability can receive its own CVE.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c 2.5.2"
},
"package": {
"ecosystem": "Maven",
"name": "com.ctrip.framework.apollo:apollo"
},
"ranges": [
{
"events": [
{
"introduced": "0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-59955"
],
"database_specific": {
"cwe_ids": [
"CWE-20",
"CWE-287"
],
"github_reviewed": true,
"github_reviewed_at": "2026-07-13T18:37:14Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Summary\nApollo ConfigService may allow unauthorized access to raw configuration data when AccessKey / management key authentication is enabled because authentication parsed the appId incorrectly for the raw config file endpoint.\n\n### Details\nRequests under /configfiles/raw/{appId}/{clusterName}/{namespace} were parsed for authentication as appId \"raw\" instead of the actual path appId. ConfigService used the parsed appId to look up available AccessKey secrets before verifying the request signature.\n\nIf no AccessKey is configured for an application literally named \"raw\", ConfigService may treat the request as having no available secrets and allow it to continue without signature verification, even when AccessKey / management key authentication is enabled for the actual target appId in the path.\n\n### Impact\nAn unauthenticated remote attacker may read raw configuration data from affected ConfigService endpoints when AccessKey / management key authentication is enabled for the target app and the attacker requests the raw config file endpoint.\n\n### Affected endpoints\nThe primary impact is on ConfigService raw config file reads under /configfiles/raw/{appId}/{clusterName}/{namespace}.\n\n### Status\nFixed in Apollo 2.5.2. Users should upgrade to Apollo 2.5.2 or later.\n\n### Related advisory\nThe non-canonical appId matching issue is tracked separately in GHSA-4w3q-qpfq-v992 so each independently fixable vulnerability can receive its own CVE.",
"id": "GHSA-h4pc-58cc-hc95",
"modified": "2026-07-13T18:37:14Z",
"published": "2026-07-13T18:37:14Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/apolloconfig/apollo/security/advisories/GHSA-h4pc-58cc-hc95"
},
{
"type": "PACKAGE",
"url": "https://github.com/apolloconfig/apollo"
},
{
"type": "WEB",
"url": "https://github.com/apolloconfig/apollo/releases/tag/v2.5.2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Apollo ConfigService access key authentication bypass via raw config file appId parsing"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.