30 matches found
CVE-2026-31838 Istio HTTP debug endpoints on port 15014 to enforce namespace-based authorization, preventing cross-namespace proxy data access.
Istio is an open platform to connect, manage, and secure microservices. Prior to 1.29.1, 1.28.5, and 1.27.8, a vulnerability in Envoy RBAC header matching could allow authorization policy bypass when policies rely on HTTP headers that may contain multiple values. An attacker could craft requests...
CVE-2026-23517
Fleet is open source device management software. A broken access control issue in versions prior to 4.78.3, 4.77.1, 4.76.2, 4.75.2, and 4.53.3 allowed authenticated users to access debug and profiling endpoints regardless of role. As a result, low-privilege users could view internal server...
CVE-2026-23517
Fleet is open source device management software. A broken access control issue in versions prior to 4.78.3, 4.77.1, 4.76.2, 4.75.2, and 4.53.3 allowed authenticated users to access debug and profiling endpoints regardless of role. As a result, low-privilege users could view internal server...
CVE-2026-23517
Fleet is open source device management software. A broken access control issue in versions prior to 4.78.3, 4.77.1, 4.76.2, 4.75.2, and 4.53.3 allowed authenticated users to access debug and profiling endpoints regardless of role. As a result, low-privilege users could view internal server...
CVE-2026-23517 Fleet has an Access Control vulnerability in debug/pprof endpoints
Fleet is open source device management software. A broken access control issue in versions prior to 4.78.3, 4.77.1, 4.76.2, 4.75.2, and 4.53.3 allowed authenticated users to access debug and profiling endpoints regardless of role. As a result, low-privilege users could view internal server...
Incorrect Authorization
Overview Affected versions of this package are vulnerable to Incorrect Authorization via the debug/pprof endpoints. An attacker can access sensitive server internals, including runtime profiling data and in-memory application state, and trigger CPU-intensive profiling operations that could impact...
PT-2026-3740
Impact Fleet’s debug/pprof endpoints are accessible to any authenticated user regardless of role, including the lowest-privilege “Observer” role. This allows low-privilege users to access sensitive server internals, including runtime profiling data and in-memory application state, and to trigger...
PT-2026-3749
Name of the Vulnerable Software and Affected Versions Fleet versions prior to 4.53.3 Fleet versions 4.53.3 through 4.75.2 Fleet versions 4.75.2 through 4.76.2 Fleet versions 4.76.2 through 4.77.1 Fleet versions 4.77.1 through 4.78.3 Description Fleet, an open source device management software, ha...
Exposure of debug and metrics endpoints in Pomerium
Impact In distributed service mode, Pomerium's Authenticate service exposes pprof debug and prometheus metrics handlers to untrusted traffic. This can leak potentially sensitive environmental information or lead to limited denial of service conditions. Patches v0.17.1 Workarounds Block access to...
PT-2010-3244 · Linksys · Linksys Wap54Gv3
Name of the Vulnerable Software and Affected Versions: Linksys WAP54Gv3 firmware versions 3.04.03 and earlier Description: The issue allows remote attackers to execute arbitrary commands due to the use of hard-coded credentials for a debug interface on certain web pages. Specifically, the...