CVE-2026-0650
CRITICALOpenFlagr <= 1.1.18 - Unauthenticated Authentication Bypass via Path Normalization
Title source: llmDescription
OpenFlagr versions prior to and including 1.1.18 contain an authentication bypass vulnerability in the HTTP middleware. Due to improper handling of path normalization in the whitelist logic, crafted requests can bypass authentication and access protected API endpoints without valid credentials. Unauthorized access may allow modification of feature flags and export of sensitive data.
References (3)
Core 3
Core References
Various Sources technical-description
exploit
https://dreyand.rs/code%20review/golang/2026/01/03/0day-speedrun-openflagr-less-1118-authentication-bypass
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/openflagr-authentication-bypass-via-prefix-whitelist-path-normalization
Release Notes release-notes
patch
https://github.com/openflagr/flagr/releases/tag/1.1.19
Scores
CVSS v4
9.3
EPSS
0.0044
EPSS Percentile
34.8%
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CISA SSVC
Vulnrichment
Exploitation
poc
Automatable
yes
Technical Impact
total
Details
CWE
CWE-306
CWE-425
Status
published
Products (2)
OpenFlagr/Flagr
< 1.1.18
openflagr/flagr
0 - 0.0.0-20251009103504-fe83dc87aa40Go
Published
Jan 07, 2026
Tracked Since
Feb 18, 2026