Critical severityOSV Advisory· Published Jan 7, 2026· Updated Apr 15, 2026
CVE-2026-0650
CVE-2026-0650
Description
OpenFlagr versions prior to and including 1.1.18 contain an authentication bypass vulnerability in the HTTP middleware. Due to improper handling of path normalization in the whitelist logic, crafted requests can bypass authentication and access protected API endpoints without valid credentials. Unauthorized access may allow modification of feature flags and export of sensitive data.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
github.com/openflagr/flagrGo | < 0.0.0-20251009103504-fe83dc87aa40 | 0.0.0-20251009103504-fe83dc87aa40 |
Affected products
3- ghsa-coords2 versionspkg:golang/github.com/openflagr/flagrpkg:rpm/opensuse/govulncheck-vulndb&distro=openSUSE%20Leap%2015.6
< 0.0.0-20251009103504-fe83dc87aa40+ 1 more
- (no CPE)range: < 0.0.0-20251009103504-fe83dc87aa40
- (no CPE)range: < 0.0.20260114T191543-150000.1.137.1
Patches
Vulnerability mechanics
References
6- github.com/advisories/GHSA-rwp9-5g7q-73q3ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2026-0650ghsaADVISORY
- dreyand.rs/code%20review/golang/2026/01/03/0day-speedrun-openflagr-less-1118-authentication-bypassnvdWEB
- github.com/openflagr/flagr/commit/fe83dc87aa404a57554aa5839ac450f55c203570ghsaWEB
- github.com/openflagr/flagr/releases/tag/1.1.19nvdWEB
- www.vulncheck.com/advisories/openflagr-authentication-bypass-via-prefix-whitelist-path-normalizationnvdWEB
News mentions
0No linked articles in our index yet.