Plattform
linux
Komponente
feast-feature-server
CVE-2026-23536 describes an Arbitrary File Access vulnerability discovered in the Feast Feature Server’s /read-document endpoint. This vulnerability allows an unauthenticated remote attacker to read any file accessible to the server process, potentially leading to the exposure of sensitive information. The vulnerability affects versions of Feast Feature Server prior to the release of a patch. Mitigation involves upgrading to a patched version of Feast Feature Server.
The impact of CVE-2026-23536 is significant due to its ease of exploitation and the potential for widespread data exposure. An attacker can bypass intended access restrictions by sending a specially crafted HTTP POST request to the /read-document endpoint. This allows them to retrieve sensitive system files, application configurations, and even credentials stored on the server. Successful exploitation could lead to complete compromise of the Feast Feature Server instance and potentially the underlying infrastructure, depending on the permissions of the server process. The lack of authentication required for exploitation further amplifies the risk, making it accessible to a wide range of attackers.
CVE-2026-23536 was publicly disclosed on 2026-03-20. The vulnerability's simplicity and lack of authentication requirements suggest a potentially high probability of exploitation. Currently, there are no known public proof-of-concept exploits, but the ease of exploitation makes it a likely target for opportunistic attackers. It is not listed on the CISA KEV catalog as of this writing.
Organizations deploying Feast Feature Server in production environments are at risk. Specifically, those running unpatched instances or those with limited access controls around the /read-document endpoint are particularly vulnerable. Shared hosting environments where Feast Feature Server is deployed alongside other applications may also be at increased risk due to potential cross-tenant access.
• linux / server:
journalctl -u feast-feature-server -g "/read-document"• generic web:
curl -I <feast_feature_server_url>/read-document• generic web:
grep -r "/read-document" /var/log/nginx/access.logdisclosure
Exploit-Status
EPSS
0.09% (25% Perzentil)
CISA SSVC
CVSS-Vektor
The primary mitigation for CVE-2026-23536 is to upgrade to a patched version of Feast Feature Server. Unfortunately, the specific fixed version is not provided, so careful testing in a non-production environment is essential before deploying the upgrade. As a temporary workaround, consider implementing strict access controls on the /read-document endpoint, limiting access to only authorized users or IP addresses. Web application firewalls (WAFs) can be configured to block requests containing suspicious patterns or payloads targeting this endpoint. Monitor Feast Feature Server logs for unusual activity, particularly HTTP POST requests to the /read-document endpoint.
Actualice Red Hat OpenShift AI (RHOAI) a la última versión disponible. Esto solucionará la vulnerabilidad de lectura de archivos arbitrarios no autenticada en el Feast Feature Server.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-23536 is a HIGH severity vulnerability allowing unauthenticated attackers to read files on a Feast Feature Server. It impacts versions prior to the patch release, potentially exposing sensitive data.
If you are running Feast Feature Server prior to the patched version, you are potentially affected. Assess your deployment and upgrade as soon as possible.
The primary fix is to upgrade to the latest patched version of Feast Feature Server. Until then, consider WAF rules or access control restrictions.
As of now, there are no confirmed reports of active exploitation, but the vulnerability's ease of exploitation warrants immediate attention.
Refer to the official Feast Feature Server security advisories on their website or GitHub repository for the latest information and patch details.
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.