GHSA-H4PC-58CC-HC95

Vulnerability from github – Published: 2026-07-13 18:37 – Updated: 2026-07-13 18:37
VLAI
Summary
Apollo ConfigService access key authentication bypass via raw config file appId parsing
Details

Summary

Apollo ConfigService may allow unauthorized access to raw configuration data when AccessKey / management key authentication is enabled because authentication parsed the appId incorrectly for the raw config file endpoint.

Details

Requests under /configfiles/raw/{appId}/{clusterName}/{namespace} were parsed for authentication as appId "raw" instead of the actual path appId. ConfigService used the parsed appId to look up available AccessKey secrets before verifying the request signature.

If no AccessKey is configured for an application literally named "raw", ConfigService may treat the request as having no available secrets and allow it to continue without signature verification, even when AccessKey / management key authentication is enabled for the actual target appId in the path.

Impact

An unauthenticated remote attacker may read raw configuration data from affected ConfigService endpoints when AccessKey / management key authentication is enabled for the target app and the attacker requests the raw config file endpoint.

Affected endpoints

The primary impact is on ConfigService raw config file reads under /configfiles/raw/{appId}/{clusterName}/{namespace}.

Status

Fixed in Apollo 2.5.2. Users should upgrade to Apollo 2.5.2 or later.

Related advisory

The non-canonical appId matching issue is tracked separately in GHSA-4w3q-qpfq-v992 so each independently fixable vulnerability can receive its own CVE.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c 2.5.2"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "com.ctrip.framework.apollo:apollo"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-59955"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-20",
      "CWE-287"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-07-13T18:37:14Z",
    "nvd_published_at": null,
    "severity": "HIGH"
  },
  "details": "### Summary\nApollo ConfigService may allow unauthorized access to raw configuration data when AccessKey / management key authentication is enabled because authentication parsed the appId incorrectly for the raw config file endpoint.\n\n### Details\nRequests under /configfiles/raw/{appId}/{clusterName}/{namespace} were parsed for authentication as appId \"raw\" instead of the actual path appId. ConfigService used the parsed appId to look up available AccessKey secrets before verifying the request signature.\n\nIf no AccessKey is configured for an application literally named \"raw\", ConfigService may treat the request as having no available secrets and allow it to continue without signature verification, even when AccessKey / management key authentication is enabled for the actual target appId in the path.\n\n### Impact\nAn unauthenticated remote attacker may read raw configuration data from affected ConfigService endpoints when AccessKey / management key authentication is enabled for the target app and the attacker requests the raw config file endpoint.\n\n### Affected endpoints\nThe primary impact is on ConfigService raw config file reads under /configfiles/raw/{appId}/{clusterName}/{namespace}.\n\n### Status\nFixed in Apollo 2.5.2. Users should upgrade to Apollo 2.5.2 or later.\n\n### Related advisory\nThe non-canonical appId matching issue is tracked separately in GHSA-4w3q-qpfq-v992 so each independently fixable vulnerability can receive its own CVE.",
  "id": "GHSA-h4pc-58cc-hc95",
  "modified": "2026-07-13T18:37:14Z",
  "published": "2026-07-13T18:37:14Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/apolloconfig/apollo/security/advisories/GHSA-h4pc-58cc-hc95"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apolloconfig/apollo"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apolloconfig/apollo/releases/tag/v2.5.2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Apollo ConfigService access key authentication bypass via raw config file appId parsing"
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…