Platform
linux
Component
feast-feature-server
CVE-2026-23536 describes an Arbitrary File Access vulnerability found in the Feast Feature Server's /read-document endpoint. This flaw allows an unauthenticated attacker to read any file accessible to the server process, potentially leading to the exposure of sensitive information. The vulnerability impacts Feast Feature Server installations prior to the release of a fix. Mitigation involves upgrading to a patched version of the software.
The primary impact of CVE-2026-23536 is the unauthorized disclosure of sensitive files. An attacker exploiting this vulnerability could potentially retrieve application configurations, credentials (API keys, passwords), and other system files. Successful exploitation does not require authentication, significantly broadening the attack surface. The blast radius extends to any data accessible by the Feast Feature Server process, which could include data stored locally or accessed from external sources. While no direct precedent for this specific vulnerability exists, the general principle of arbitrary file access is a common attack vector, often leading to privilege escalation or further compromise of the system.
CVE-2026-23536 was publicly disclosed on 2026-03-20. The vulnerability's severity is rated HIGH with a CVSS score of 7.5. Currently, there are no known public proof-of-concept exploits available. The vulnerability is not listed on the CISA KEV catalog as of this writing. The ease of exploitation, combined with the lack of authentication requirements, suggests a potential for opportunistic exploitation if the vulnerability remains unpatched.
Exploit Status
EPSS
0.09% (25% percentile)
CISA SSVC
CVSS Vector
The recommended mitigation for CVE-2026-23536 is to upgrade to a patched version of Feast Feature Server as soon as it becomes available. Until a patch is applied, consider implementing temporary workarounds to restrict access to the /read-document endpoint. This could involve configuring a Web Application Firewall (WAF) to block suspicious requests or implementing stricter access controls within the Feast Feature Server configuration. Regularly review file permissions to ensure that the server process only has access to the necessary files. Monitor access logs for unusual activity related to the /read-document endpoint.
Actualice Red Hat OpenShift AI (RHOAI) a la última versión disponible. Esto solucionará la vulnerabilidad de lectura de archivos arbitrarios no autenticada en el Feast Feature Server.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2026-23536 is a HIGH severity vulnerability allowing unauthenticated attackers to read files on a Feast Feature Server. It impacts versions prior to the patch release, potentially exposing sensitive data.
If you are running Feast Feature Server prior to the patched version, you are potentially affected. Assess your deployment and upgrade as soon as possible.
The primary fix is to upgrade to the latest patched version of Feast Feature Server. Until then, consider WAF rules or access control restrictions.
As of now, there are no confirmed reports of active exploitation, but the vulnerability's ease of exploitation warrants immediate attention.
Refer to the official Feast Feature Server security advisories on their website or GitHub repository for the latest information and patch details.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.