Home

Description

Kanidm is an identity management platform. Prior to version 1.9.3, a single unauthenticated GET to any /scim/v1/... endpoint with a ?filter= query string of a few thousand nested parentheses (≈ 4–12 KB) drives the recursive-descent PEG parser past the worker thread's stack guard page. Rust responds to stack overflow with std::process::abort() — the entire kanidmd process exits. The parse runs inside axum's Query<ScimEntryGetQuery> extractor, before any handler body and therefore before any ACL check. This issue has been patched in version 1.9.3.

PUBLISHED Reserved 2026-05-15 | Published 2026-06-10 | Updated 2026-06-10 | Assigner GitHub_M




HIGH: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-248: Uncaught Exception

CWE-400: Uncontrolled Resource Consumption

CWE-674: Uncontrolled Recursion

Product status

< 1.9.3
affected

References

github.com/...kanidm/security/advisories/GHSA-r5fr-9gmv-jggh

github.com/kanidm/kanidm/releases/tag/v1.9.3

cve.org (CVE-2026-46689)

nvd.nist.gov (CVE-2026-46689)

Download JSON