CVE-2026-0650
published 2026-01-07CVE-2026-0650: OpenFlagr versions prior to and including 1.1.18 contain an authentication bypass vulnerability in the HTTP middleware. Due to improper handling of path…
PriorityP268critical9.3CVSS 4.0
AVNACLATNPRNUINVCHVIHVAHSCNSINSANEXCRXIRXARXMAVXMACXMATXMPRXMUIXMVCXMVIXMVAXMSCXMSIXMSAXSXAUXRXVXREXUX
EPSS
0.44%
35.1th percentile
OpenFlagr versions prior to and including 1.1.18 contain an authentication bypass vulnerability in the HTTP middleware. Due to improper handling of path normalization in the whitelist logic, crafted requests can bypass authentication and access protected API endpoints without valid credentials. Unauthorized access may allow modification of feature flags and export of sensitive data.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| github.com | openflagr_flagr | >= 0 < 0.0.0-20251009103504-fe83dc87aa40 | 0.0.0-20251009103504-fe83dc87aa40 |
| openflagr | flagr | <= 1.1.18 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Authentication bypass via crafted requests exploiting improper path normalization in the HTTP middleware whitelist logic — monitor for requests to protected API endpoints that lack valid credentials but succeed due to path manipulation ↗
- →Focus detection on OpenFlagr instances running versions <= 1.1.18 (github.com/openflagr/flagr); look for anomalous unauthenticated access to feature flag modification or data export endpoints ↗
- →Monitor for unauthorized modification of feature flags or export of sensitive data as post-exploitation indicators of this authentication bypass ↗
- ·A public exploit is reported to exist for this CVE, increasing the likelihood of active exploitation attempts in the wild ↗
- ·The vulnerability affects the Go module github.com/openflagr/flagr; all deployments using this package at version 1.1.18 or earlier should be considered at risk ↗
- ·A fix was made available as of January 8, 2026; the bypass is rooted in path normalization handling, so WAF rules normalizing paths before whitelist evaluation may provide partial mitigation until patching ↗
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
OSV
OpenFlagr contains an authentication bypass vulnerability in the HTTP middleware in github.com/openflagr/flagr
osv·2026-01-12
CVE-2026-0650 OpenFlagr contains an authentication bypass vulnerability in the HTTP middleware in github.com/openflagr/flagr
OpenFlagr contains an authentication bypass vulnerability in the HTTP middleware in github.com/openflagr/flagr
OpenFlagr contains an authentication bypass vulnerability in the HTTP middleware in github.com/openflagr/flagr
OSV
OpenFlagr contains an authentication bypass vulnerability in the HTTP middleware
osv·2026-01-07
CVE-2026-0650 [CRITICAL] OpenFlagr contains an authentication bypass vulnerability in the HTTP middleware
OpenFlagr contains an authentication bypass vulnerability in the HTTP middleware
OpenFlagr versions prior to and including 1.1.18 contain an authentication bypass vulnerability in the HTTP middleware. Due to improper handling of path normalization in the whitelist logic, crafted requests can bypass authentication and access protected API endpoints without valid credentials. Unauthorized access may allow modification of feature flags and export of sensitive data.
GHSA
OpenFlagr contains an authentication bypass vulnerability in the HTTP middleware
ghsa·2026-01-07
CVE-2026-0650 [CRITICAL] CWE-306 OpenFlagr contains an authentication bypass vulnerability in the HTTP middleware
OpenFlagr contains an authentication bypass vulnerability in the HTTP middleware
OpenFlagr versions prior to and including 1.1.18 contain an authentication bypass vulnerability in the HTTP middleware. Due to improper handling of path normalization in the whitelist logic, crafted requests can bypass authentication and access protected API endpoints without valid credentials. Unauthorized access may allow modification of feature flags and export of sensitive data.
No detection rules found.
No public exploits indexed.
2026-01-07
Published