Home
HIGH: 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NDefault status
affected
Default status
unaffected
Default status
unaffected
Default status
unaffected
Default status
unaffected
Default status
unaffected
Default status
unaffected
Default status
unaffected
Default status
unaffected
Default status
unaffected
Default status
unaffected
Default status
unaffected
Default status
unaffected
Default status
unaffected
Description
A security issue was discovered in the Feast Feature Server's `/read-document` endpoint that allows an unauthenticated remote attacker to read any file accessible to the server process. By sending a specially crafted HTTP POST request, an attacker can bypass intended access restrictions to potentially retrieve sensitive system files, application configurations, and credentials.
Problem types
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
Product status
Timeline
| 2026-01-13: | Reported to Red Hat. |
| 2026-03-20: | Made public. |
Credits
This issue was discovered by Jitendra Yejare (Red Hat).
References
access.redhat.com/security/cve/CVE-2026-23536
bugzilla.redhat.com/show_bug.cgi?id=2429302 (RHBZ#2429302)