Authentication bypass
Description
Nacos is a platform designed for dynamic service discovery and configuration and service management. In Nacos before version 1.4.1, the ConfigOpsController lets the user perform management operations like querying the database or even wiping it out. While the /data/remove endpoint is properly protected with the @Secured annotation, the /derby endpoint is not protected and can be openly accessed by unauthenticated users. These endpoints are only valid when using embedded storage (derby DB) so this issue should not affect those installations using external storage (e.g. mysql)
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.alibaba.nacos:nacos-commonMaven | < 1.4.1 | 1.4.1 |
Affected products
2- alibaba/nacosv5Range: < 1.4.1
Patches
Vulnerability mechanics
Root cause
"Missing authentication annotation on the `/derby` endpoint allows unauthenticated execution of arbitrary SQL queries."
Attack vector
An unauthenticated attacker sends a GET request to `/nacos/v1/cs/ops/derby?sql=...` with a crafted `select` statement. The endpoint only validates that the SQL starts with `select` and that the storage mode is embedded Derby, but performs no authentication [CWE-306]. This allows the attacker to dump all database tables, including `users`, `roles`, and `permissions`, and then crack the bcrypt-hashed passwords offline using the known salt algorithm [ref_id=1].
Affected code
The vulnerability resides in `ConfigOpsController.java` in the `nacos-config` module. The `@GetMapping(value = "/derby")` endpoint (`derbyOps` method) was missing any authentication annotation, allowing unauthenticated access to execute arbitrary SQL queries against the embedded Derby database. The patch adds `@Secured(action = ActionTypes.READ, resource = "nacos/admin")` to this method.
What the fix does
The patch adds the `@Secured(action = ActionTypes.READ, resource = "nacos/admin")` annotation to the `derbyOps` method. This enforces authentication and authorization checks before the endpoint can be invoked, ensuring that only authenticated users with the appropriate admin-level permission can execute SQL queries against the embedded Derby database.
Preconditions
- configNacos must be deployed with embedded Derby storage (not external MySQL)
- authNo authentication is required; the endpoint is publicly accessible
- networkAttacker must be able to send HTTP GET requests to the Nacos server
- inputThe SQL payload must start with 'select' (case-insensitive)
Generated on Jun 20, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-36hp-jr8h-556fghsax_refsource_CONFIRMADVISORY
- github.com/advisories/GHSA-xv5h-v7jh-p2qhghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-29442ghsaADVISORY
- github.com/alibaba/nacos/issues/4463ghsax_refsource_MISCWEB
- github.com/alibaba/nacos/pull/4517ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.