CVE-2026-11752 | THREATINT

Description

A vulnerability has been identified in armeria-xds versions 1.38.0 through 1.39.0, where DataSourceStream in the xDS module can resolve control-plane-supplied filenames and environment variables without restriction, allowing a compromised or semi-trusted xDS control plane to read arbitrary local files and environment variables on the xDS client host.

PUBLISHED Reserved 2026-06-09 | Published 2026-06-19 | Updated 2026-06-19 | Assigner LY-Corporation

MEDIUM: 5.9CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-73

Product status

Default status

unaffected

1.38.0 (custom) before 1.40.0

affected

References

github.com/...rmeria/security/advisories/GHSA-hgw6-8c77-v4gq

cve.org (CVE-2026-11752)

nvd.nist.gov (CVE-2026-11752)

Download JSON