CVE-2026-31866Allocation of Resources Without Limits or Throttling in Flagd

CWE-770Allocation of Resources Without Limits or Throttling6 documents5 sources
Severity
7.5HIGHNVD
EPSS
0.1%
top 71.21%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
3
Open-feature FlagdGithub.com Open-feature Flagd FlagdOpenfeature Flagd
Timeline
PublishedMar 11
Latest updateMar 12

Description

flagd is a feature flag daemon with a Unix philosophy. Prior to 0.14.2, flagd exposes OFREP (/ofrep/v1/evaluate/...) and gRPC (evaluation.v1, evaluation.v2) endpoints for feature flag evaluation. These endpoints are designed to be publicly accessible by client applications. The evaluation context included in request payloads is read into memory without any size restriction. An attacker can send a single HTTP request with an arbitrarily large body, causing flagd to allocate a corresponding amount

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

NVDopenfeature/flagd< 0.14.2
CVEListV5open-feature/flagd< 0.14.2

Patches

Patch: github.com

🔴Vulnerability Details

4
OSV
flagd Vulnerable to Allocation of Resources Without Limits or Throttling in github.com/open-feature/flagd/flagd2026-03-12
CVEList
Allocation of Resources Without Limits or Throttling in flagd2026-03-11
GHSA
flagd Vulnerable to Allocation of Resources Without Limits or Throttling2026-03-11
OSV
flagd Vulnerable to Allocation of Resources Without Limits or Throttling2026-03-11

🕵️Threat Intelligence

1
Wiz
CVE-2026-31866 Impact, Exploitability, and Mitigation Steps | Wiz
CVE-2026-31866 — Open-feature Flagd vulnerability | cvebase