Moderate severityNVD Advisory· Published Aug 30, 2024· Updated Aug 30, 2024

OPA SMB Force-Authentication

CVE-2024-8260

Description

A SMB force-authentication vulnerability exists in all versions of OPA for Windows prior to v0.68.0. The vulnerability exists because of improper input validation, allowing a user to pass an arbitrary SMB share instead of a Rego file as an argument to OPA CLI or to one of the OPA Go library’s functions.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

A SMB force-authentication vulnerability in OPA for Windows allows attackers to leak Net-NTLMv2 hashes by passing a malicious UNC path instead of a Rego file.

Vulnerability

Overview

CVE-2024-8260 is an SMB force-authentication vulnerability affecting all versions of Open Policy Agent (OPA) for Windows prior to v0.68.0. The root cause is improper input validation, which permits a user to supply an arbitrary SMB share (UNC path) in place of a legitimate Rego file when using the OPA CLI or calling certain OPA Go library functions [1][4].

Exploitation

Details

Exploitation requires an initial foothold in the environment or social engineering to trick a user into executing the OPA CLI with a malicious UNC path as an argument. Affected CLI commands include opa eval -d, opa eval --bundle, and opa run -s. Additionally, Go-based services that integrate OPA may be vulnerable if they pass user-controlled input to functions such as Rego.Load() or Rego.LoadBundle() [4]. The attack is more likely if the vulnerable function receives input from an untrusted source, especially on internet-facing platforms.

Impact

A successful exploit forces the Windows device running OPA to initiate outbound SMB traffic to an attacker-controlled server, leaking the Net-NTLMv2 hash of the currently logged-in user. The attacker can then relay this hash to authenticate against other systems supporting NTLMv2 or perform offline password cracking [4].

Mitigation

The vulnerability is fixed in OPA v0.68.0 and later. Users on Windows should upgrade immediately to this version or apply appropriate workarounds, such as restricting outbound SMB traffic on port 445 [3][4].

References

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
github.com/open-policy-agent/opaGo	< 0.68.0	0.68.0

Affected products

114

osv-coords113 versions
pkg:apk/chainguard/conftest pkg:apk/chainguard/conftest-fips pkg:apk/chainguard/cosign pkg:apk/chainguard/cosign-fips pkg:apk/chainguard/datadog-agent pkg:apk/chainguard/datadog-agent-core-integrations pkg:apk/chainguard/datadog-agent-core-integrations-fips pkg:apk/chainguard/datadog-agent-fakeintake pkg:apk/chainguard/datadog-agent-fakeintake-fips pkg:apk/chainguard/datadog-agent-fips pkg:apk/chainguard/datadog-agent-jmx pkg:apk/chainguard/datadog-agent-jmx-fips pkg:apk/chainguard/datadog-agent-oci-compat pkg:apk/chainguard/datadog-agent-oci-compat-fips pkg:apk/chainguard/datadog-agent-s6-overlay pkg:apk/chainguard/datadog-agent-s6-overlay-fips pkg:apk/chainguard/datadog-cluster-agent pkg:apk/chainguard/datadog-cluster-agent-fips pkg:apk/chainguard/datadog-cluster-agent-oci-compat pkg:apk/chainguard/datadog-cluster-agent-oci-compat-fips pkg:apk/chainguard/dogstatsd pkg:apk/chainguard/gatekeeper-3.17 pkg:apk/chainguard/gatekeeper-3.17-compat pkg:apk/chainguard/gatekeeper-3.17-crds pkg:apk/chainguard/gatekeeper-3.17-crds-compat pkg:apk/chainguard/gatekeeper-3.17-gator pkg:apk/chainguard/gatekeeper-fips-3.17 pkg:apk/chainguard/gatekeeper-fips-3.17-compat pkg:apk/chainguard/k8sgpt pkg:apk/chainguard/kots pkg:apk/chainguard/kots-compat pkg:apk/chainguard/kots-symlink-compat pkg:apk/chainguard/kubescape pkg:apk/chainguard/kyverno-1.11 pkg:apk/chainguard/kyverno-1.12 pkg:apk/chainguard/kyverno-background-controller-1.11 pkg:apk/chainguard/kyverno-background-controller-1.12 pkg:apk/chainguard/kyverno-background-controller-fips-1.11 pkg:apk/chainguard/kyverno-background-controller-fips-1.12 pkg:apk/chainguard/kyverno-cleanup-controller-1.11 pkg:apk/chainguard/kyverno-cleanup-controller-1.12 pkg:apk/chainguard/kyverno-cleanup-controller-fips-1.11 pkg:apk/chainguard/kyverno-cleanup-controller-fips-1.12 pkg:apk/chainguard/kyverno-cli-1.11 pkg:apk/chainguard/kyverno-cli-1.12 pkg:apk/chainguard/kyverno-cli-fips-1.11 pkg:apk/chainguard/kyverno-cli-fips-1.12 pkg:apk/chainguard/kyverno-fips-1.11 pkg:apk/chainguard/kyverno-fips-1.12 pkg:apk/chainguard/kyverno-init-container-1.11 pkg:apk/chainguard/kyverno-init-container-1.12 pkg:apk/chainguard/kyverno-init-container-fips-1.11 pkg:apk/chainguard/kyverno-init-container-fips-1.12 pkg:apk/chainguard/kyverno-reports-controller-1.11 pkg:apk/chainguard/kyverno-reports-controller-1.12 pkg:apk/chainguard/kyverno-reports-controller-fips-1.11 pkg:apk/chainguard/kyverno-reports-controller-fips-1.12 pkg:apk/chainguard/opa pkg:apk/chainguard/policy-controller pkg:apk/chainguard/policy-controller-fips pkg:apk/chainguard/policy-controller-tester pkg:apk/chainguard/policy-controller-tester-fips pkg:apk/chainguard/policy-controller-webhook pkg:apk/chainguard/snyk-cli pkg:apk/chainguard/spire-agent pkg:apk/chainguard/spire-agent-fips pkg:apk/chainguard/spire-oidc-discovery-provider pkg:apk/chainguard/spire-oidc-discovery-provider-fips pkg:apk/chainguard/spire-server pkg:apk/chainguard/spire-server-fips pkg:apk/chainguard/tfsec pkg:apk/chainguard/zarf pkg:apk/chainguard/zot pkg:apk/wolfi/conftest pkg:apk/wolfi/cosign pkg:apk/wolfi/cosign-fips pkg:apk/wolfi/datadog-agent pkg:apk/wolfi/datadog-agent-core-integrations pkg:apk/wolfi/datadog-agent-fakeintake pkg:apk/wolfi/datadog-agent-jmx pkg:apk/wolfi/datadog-agent-oci-compat pkg:apk/wolfi/datadog-agent-s6-overlay pkg:apk/wolfi/datadog-cluster-agent pkg:apk/wolfi/datadog-cluster-agent-oci-compat pkg:apk/wolfi/dogstatsd pkg:apk/wolfi/gatekeeper-3.17 pkg:apk/wolfi/gatekeeper-3.17-compat pkg:apk/wolfi/gatekeeper-3.17-crds pkg:apk/wolfi/gatekeeper-3.17-crds-compat pkg:apk/wolfi/gatekeeper-3.17-gator pkg:apk/wolfi/k8sgpt pkg:apk/wolfi/kots pkg:apk/wolfi/kots-compat pkg:apk/wolfi/kots-symlink-compat pkg:apk/wolfi/kubescape pkg:apk/wolfi/kyverno-1.12 pkg:apk/wolfi/kyverno-background-controller-1.12 pkg:apk/wolfi/kyverno-cleanup-controller-1.12 pkg:apk/wolfi/kyverno-cli-1.12 pkg:apk/wolfi/kyverno-init-container-1.12 pkg:apk/wolfi/kyverno-reports-controller-1.12 pkg:apk/wolfi/opa pkg:apk/wolfi/policy-controller pkg:apk/wolfi/policy-controller-tester pkg:apk/wolfi/policy-controller-webhook pkg:apk/wolfi/snyk-cli pkg:apk/wolfi/spire-agent pkg:apk/wolfi/spire-oidc-discovery-provider pkg:apk/wolfi/spire-server pkg:apk/wolfi/tfsec pkg:apk/wolfi/zarf pkg:apk/wolfi/zot pkg:golang/github.com/open-policy-agent/opa
< 0.55.0-r2+ 112 more
- (no CPE)range: < 0.55.0-r2
- (no CPE)range: < 0.55.0-r2
- (no CPE)range: < 2.4.0-r4
- (no CPE)range: < 2.4.0-r3
- (no CPE)range: < 7.56.2-r2
- (no CPE)range: < 7.56.2-r2
- (no CPE)range: < 7.64.1-r0
- (no CPE)range: < 7.56.2-r2
- (no CPE)range: < 7.64.1-r0
- (no CPE)range: < 7.64.1-r0
- (no CPE)range: < 7.56.2-r2
- (no CPE)range: < 7.64.1-r0
- (no CPE)range: < 7.56.2-r2
- (no CPE)range: < 7.64.1-r0
- (no CPE)range: < 7.56.2-r2
- (no CPE)range: < 7.64.1-r0
- (no CPE)range: < 7.56.2-r2
- (no CPE)range: < 7.64.1-r0
- (no CPE)range: < 7.56.2-r2
- (no CPE)range: < 7.64.1-r0
- (no CPE)range: < 7.56.2-r2
- (no CPE)range: < 3.17.1-r2
- (no CPE)range: < 3.17.1-r2
- (no CPE)range: < 3.17.1-r2
- (no CPE)range: < 3.17.1-r2
- (no CPE)range: < 3.17.1-r2
- (no CPE)range: < 3.17.1-r2
- (no CPE)range: < 3.17.1-r2
- (no CPE)range: < 0.3.42-r1
- (no CPE)range: < 1.117.2-r1
- (no CPE)range: < 1.117.2-r1
- (no CPE)range: < 1.117.2-r1
- (no CPE)range: < 3.0.18-r0
- (no CPE)range: < 1.11.5-r16
- (no CPE)range: < 1.12.5-r4
- (no CPE)range: < 1.11.5-r16
- (no CPE)range: < 1.12.5-r4
- (no CPE)range: < 1.11.5-r21
- (no CPE)range: < 1.12.7-r9
- (no CPE)range: < 1.11.5-r16
- (no CPE)range: < 1.12.5-r4
- (no CPE)range: < 1.11.5-r21
- (no CPE)range: < 1.12.7-r9
- (no CPE)range: < 1.11.5-r16
- (no CPE)range: < 1.12.5-r4
- (no CPE)range: < 1.11.5-r21
- (no CPE)range: < 1.12.7-r9
- (no CPE)range: < 1.11.5-r21
- (no CPE)range: < 1.12.7-r9
- (no CPE)range: < 1.11.5-r16
- (no CPE)range: < 1.12.5-r4
- (no CPE)range: < 1.11.5-r21
- (no CPE)range: < 1.12.7-r9
- (no CPE)range: < 1.11.5-r16
- (no CPE)range: < 1.12.5-r4
- (no CPE)range: < 1.11.5-r21
- (no CPE)range: < 1.12.7-r9
- (no CPE)range: < 0.68.0-r0
- (no CPE)range: < 0.9.0-r10
- (no CPE)range: < 0.12.0-r7
- (no CPE)range: < 0.9.0-r10
- (no CPE)range: < 0.12.0-r7
- (no CPE)range: < 0.9.0-r10
- (no CPE)range: < 1.1293.1-r1
- (no CPE)range: < 1.11.2-r5
- (no CPE)range: < 1.12.0-r0
- (no CPE)range: < 1.11.2-r5
- (no CPE)range: < 1.12.0-r0
- (no CPE)range: < 1.11.2-r5
- (no CPE)range: < 1.12.0-r0
- (no CPE)range: < 1.28.10-r2
- (no CPE)range: < 0.40.1-r1
- (no CPE)range: < 2.1.1-r2
- (no CPE)range: < 0.55.0-r2
- (no CPE)range: < 2.4.0-r4
- (no CPE)range: < 2.4.0-r3
- (no CPE)range: < 7.56.2-r2
- (no CPE)range: < 7.56.2-r2
- (no CPE)range: < 7.56.2-r2
- (no CPE)range: < 7.56.2-r2
- (no CPE)range: < 7.56.2-r2
- (no CPE)range: < 7.56.2-r2
- (no CPE)range: < 7.56.2-r2
- (no CPE)range: < 7.56.2-r2
- (no CPE)range: < 7.56.2-r2
- (no CPE)range: < 3.17.1-r2
- (no CPE)range: < 3.17.1-r2
- (no CPE)range: < 3.17.1-r2
- (no CPE)range: < 3.17.1-r2
- (no CPE)range: < 3.17.1-r2
- (no CPE)range: < 0.3.42-r1
- (no CPE)range: < 1.117.2-r1
- (no CPE)range: < 1.117.2-r1
- (no CPE)range: < 1.117.2-r1
- (no CPE)range: < 3.0.18-r0
- (no CPE)range: < 1.12.5-r4
- (no CPE)range: < 1.12.5-r4
- (no CPE)range: < 1.12.5-r4
- (no CPE)range: < 1.12.5-r4
- (no CPE)range: < 1.12.5-r4
- (no CPE)range: < 1.12.5-r4
- (no CPE)range: < 0.68.0-r0
- (no CPE)range: < 0.9.0-r10
- (no CPE)range: < 0.9.0-r10
- (no CPE)range: < 0.9.0-r10
- (no CPE)range: < 1.1293.1-r1
- (no CPE)range: < 1.11.2-r5
- (no CPE)range: < 1.11.2-r5
- (no CPE)range: < 1.11.2-r5
- (no CPE)range: < 1.28.10-r2
- (no CPE)range: < 0.40.1-r1
- (no CPE)range: < 2.1.1-r2
- (no CPE)range: < 0.68.0
Styra/OPAv5
Range: 0

Patches

10f4d553e6bb

loader: Block reading of UNC paths

https://github.com/open-policy-agent/opaAshutosh NarkarAug 15, 2024via ghsa

commit

2 files changed · +87 −0

loader/loader.go+31 −0 modified

@@ -247,13 +247,18 @@ func (fl fileLoader) AsBundle(path string) (*bundle.Bundle, error) {
 		return nil, err
 	}
 
+	if err := checkForUNCPath(path); err != nil {
+		return nil, err
+	}
+
 	var bundleLoader bundle.DirectoryLoader
 	var isDir bool
 	if fl.reader != nil {
 		bundleLoader = bundle.NewTarballLoaderWithBaseURL(fl.reader, path).WithFilter(fl.filter)
 	} else {
 		bundleLoader, isDir, err = GetBundleDirectoryLoaderFS(fl.fsys, path, fl.filter)
 	}
+
 	if err != nil {
 		return nil, err
 	}
@@ -303,6 +308,10 @@ func GetBundleDirectoryLoaderFS(fsys fs.FS, path string, filter Filter) (bundle.
 		return nil, false, err
 	}
 
+	if err := checkForUNCPath(path); err != nil {
+		return nil, false, err
+	}
+
 	var fi fs.FileInfo
 	if fsys != nil {
 		fi, err = fs.Stat(fsys, path)
@@ -663,12 +672,18 @@ func allRec(fsys fs.FS, path string, filter Filter, errors *Errors, loaded *Resu
 		return
 	}
 
+	if err := checkForUNCPath(path); err != nil {
+		errors.add(err)
+		return
+	}
+
 	var info fs.FileInfo
 	if fsys != nil {
 		info, err = fs.Stat(fsys, path)
 	} else {
 		info, err = os.Stat(path)
 	}
+
 	if err != nil {
 		errors.add(err)
 		return
@@ -804,3 +819,19 @@ func makeDir(path []string, x interface{}) (map[string]interface{}, bool) {
 	}
 	return makeDir(path[:len(path)-1], map[string]interface{}{path[len(path)-1]: x})
 }
+
+// isUNC reports whether path is a UNC path.
+func isUNC(path string) bool {
+	return len(path) > 1 && isSlash(path[0]) && isSlash(path[1])
+}
+
+func isSlash(c uint8) bool {
+	return c == '\\' || c == '/'
+}
+
+func checkForUNCPath(path string) error {
+	if isUNC(path) {
+		return fmt.Errorf("UNC path read is not allowed: %s", path)
+	}
+	return nil
+}

loader/loader_test.go+56 −0 modified

@@ -8,6 +8,7 @@ import (
 	"bytes"
 	"embed"
 	"encoding/json"
+	"fmt"
 	"io"
 	"io/fs"
 	"os"
@@ -574,6 +575,61 @@ func TestAsBundleWithFile(t *testing.T) {
 	})
 }
 
+func TestCheckForUNCPath(t *testing.T) {
+	cases := []struct {
+		input   string
+		wantErr bool
+		err     error
+	}{
+		{
+			input:   "c:/foo",
+			wantErr: false,
+		},
+		{
+			input:   "file:///c:/a/b",
+			wantErr: false,
+		},
+		{
+			input:   `\\localhost\c$`,
+			wantErr: true,
+			err:     fmt.Errorf("UNC path read is not allowed: \\\\localhost\\c$"),
+		},
+		{
+			input:   `\\\\localhost\c$`,
+			wantErr: true,
+			err:     fmt.Errorf("UNC path read is not allowed: \\\\\\\\localhost\\c$"),
+		},
+		{
+			input:   `//localhost/foo`,
+			wantErr: true,
+			err:     fmt.Errorf("UNC path read is not allowed: //localhost/foo"),
+		},
+		{
+			input:   `file:///a/b/c`,
+			wantErr: false,
+		},
+	}
+
+	for _, tc := range cases {
+		t.Run(tc.input, func(t *testing.T) {
+			err := checkForUNCPath(tc.input)
+			if tc.wantErr {
+				if err == nil {
+					t.Fatal("Expected error but got nil")
+				}
+
+				if tc.err != nil && tc.err.Error() != err.Error() {
+					t.Fatalf("Expected error message %v but got %v", tc.err.Error(), err.Error())
+				}
+			} else {
+				if err != nil {
+					t.Fatalf("Unexpected error %v", err)
+				}
+			}
+		})
+	}
+}
+
 func TestLoadRooted(t *testing.T) {
 	files := map[string]string{
 		"/foo.json":         "[1,2,3]",

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-c77r-fh37-x2pxghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2024-8260ghsaADVISORY
github.com/open-policy-agent/opa/commit/10f4d553e6bb6ae9c69611ecdd9a77dda857070eghsaWEB
github.com/open-policy-agent/opa/releases/tag/v0.68.0ghsaWEB
pkg.go.dev/vuln/GO-2024-3141ghsaWEB
www.tenable.com/security/research/tra-2024-36ghsaWEB

News mentions

No linked articles in our index yet.

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000