236 matches found
CVE-2025-57815
CVE-2025-57815 (Fides) describes a lack of anti-automation protections on the Admin UI login endpoint prior to version 2.69.1, enabling brute-force style credential testing (credential stuffing/password spraying) against accounts with weak or compromised passwords. Affected product: Fides (Open S...
GHSA-HJFH-P8F5-24WR Fides Webserver API is Vulnerable to OAuth Client Privilege Escalation
Summary The OAuth client creation and update endpoints of the Fides Webserver API do not properly authorize scope assignment. This allows highly privileged users with client:create or client:update permissions to escalate their privileges to owner-level. Details When creating or updating OAuth...
Fides Webserver API Rate Limiting Vulnerability in Proxied Environments
Summary The Fides Webserver API's built-in IP-based rate limiting is ineffective in environments with CDNs, proxies or load balancers. The system incorrectly applies rate limits based on directly connected infrastructure IPs rather than client IPs, and stores counters in-memory rather than in a...
Brute Force
Overview ethyca-fides is an Open-source ecosystem for data privacy as code. Affected versions of this package are vulnerable to Brute Force via insufficient protections on the authentication process. An attacker can gain unauthorized access to user accounts by performing automated credential...
Insufficient Session Expiration
Overview ethyca-fides is an Open-source ecosystem for data privacy as code. Affected versions of this package are vulnerable to Insufficient Session Expiration due to the insufficient session management. The authentication system validates tokens based on their cryptographic integrity and...
GHSA-RPW8-82V9-3Q87 Fides' Admin UI User Password Change Does Not Invalidate Current Session
Summary Admin UI user password changes in Fides do not invalidate active user sessions, creating a vulnerability chaining opportunity where attackers who have obtained session tokens through other attack vectors such as XSS can maintain access even after password reset. This issue is not directly...
Fides 安全漏洞
Fides is an open source privacy engineering platform open-sourced by Ethyca to manage the implementation of data privacy requests in the runtime environment and the enforcement of privacy regulations in code. A security vulnerability exists in versions of Fides prior to 2.69.1 that stems from a...
Fides 代码问题漏洞
Fides is an open source privacy engineering platform open-sourced by Ethyca to manage the implementation of data privacy requests in the runtime environment and the enforcement of privacy regulations in code. A code issue vulnerability exists in Fides versions prior to 2.69.1, which stems from a...
Fides 安全漏洞
Fides is an open source privacy engineering platform open-sourced by Ethyca to manage the implementation of data privacy requests in the runtime environment and the enforcement of privacy regulations in code. A security vulnerability exists in Fides versions prior to 2.69.1 that stems from an...
Fides 安全漏洞
Fides is an open source privacy engineering platform open-sourced by Ethyca to manage the implementation of data privacy requests in the runtime environment and the enforcement of privacy regulations in code. A security vulnerability exists in Fides versions prior to 2.69.1, which stems from an I...
PT-2025-36507
Name of the Vulnerable Software and Affected Versions: Fides versions prior to 2.69.1 Description: Fides is an open-source privacy engineering platform. Admin UI user password changes do not invalidate active user sessions prior to version 2.69.1, creating a vulnerability chaining opportunity...
PT-2025-36510
Name of the Vulnerable Software and Affected Versions: Fides versions prior to 2.69.1 Description: Fides is an open-source privacy engineering platform. The OAuth client creation and update endpoints of the Fides Webserver API do not properly authorize scope assignment. This allows highly...
PT-2025-36509
Name of the Vulnerable Software and Affected Versions: Fides versions prior to 2.69.1 Description: Fides is an open-source privacy engineering platform. The built-in IP-based rate limiting in the Fides Webserver API is ineffective in environments utilizing CDNs, proxies, or load balancers. The...
Securing AI Agents with Information-Flow Control
As AI agents become increasingly autonomous and capable, ensuring their security against vulnerabilities such as prompt injection becomes critical. This paper explores the use of information-flow control IFC to provide security guarantees for AI agents. We present a formal model to reason about t...
CVE-2024-45052
Fides is an open-source privacy engineering platform. Prior to version 2.44.0, a timing-based username enumeration vulnerability exists in Fides Webserver authentication. This vulnerability allows an unauthenticated attacker to determine the existence of valid usernames by analyzing the time it...
CVE-2024-31223
Fides is an open-source privacy engineering platform, and SERVERSIDEFIDESAPIURL is a server-side configuration environment variable used by the Fides Privacy Center to communicate with the Fides webserver backend. The value of this variable is a URL which typically includes a private IP address,...
CVE-2023-36827
Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in a runtime environment, and the enforcement of privacy regulations in code. A path traversal directory traversal vulnerability affects fides versions lower than version 2.15.1, allowing...
CVE-2023-41319
Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in a runtime environment, and the enforcement of privacy regulations in code. The Fides webserver API allows custom integrations to be uploaded as a ZIP file. This ZIP file must contain YAML...
CVE-2023-47114
Fides is an open-source privacy engineering platform for managing the fulfillment of data privacy requests in your runtime environment, and the enforcement of privacy regulations in your code. The Fides web application allows data subject users to request access to their personal data. If the...
CVE-2024-45053
Fides is an open-source privacy engineering platform. Starting in version 2.19.0 and prior to version 2.44.0, the Email Templating feature uses Jinja2 without proper input sanitization or rendering environment restrictions, allowing for Server-Side Template Injection that grants Remote Code...