CVE-2026-31866

See a problem?
Please try reporting it to the source first.
Source
https://cve.org/CVERecord?id=CVE-2026-31866
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-31866.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-31866
Aliases
Downstream
Related
Published
2026-03-11T17:49:48.520Z
Modified
2026-04-02T13:24:13.636735Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVSS Calculator
Summary
Allocation of Resources Without Limits or Throttling in flagd
Details

flagd is a feature flag daemon with a Unix philosophy. Prior to 0.14.2, flagd exposes OFREP (/ofrep/v1/evaluate/...) and gRPC (evaluation.v1, evaluation.v2) endpoints for feature flag evaluation. These endpoints are designed to be publicly accessible by client applications. The evaluation context included in request payloads is read into memory without any size restriction. An attacker can send a single HTTP request with an arbitrarily large body, causing flagd to allocate a corresponding amount of memory. This leads to immediate memory exhaustion and process termination (e.g., OOMKill in Kubernetes environments). flagd does not natively enforce authentication on its evaluation endpoints. While operators may deploy flagd behind an authenticating reverse proxy or similar infrastructure, the endpoints themselves impose no access control by default. This vulnerability is fixed in 0.14.2.

Database specific 
{
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/31xxx/CVE-2026-31866.json",
    "cwe_ids": [
        "CWE-770"
    ]
}
References

Affected packages

Git / github.com/open-feature/flagd

Affected ranges

Type
GIT
Repo
https://github.com/open-feature/flagd
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
c250d1c81d9917ac9a2ca5360f1fcd7266d29533

Affected versions

core/v0.*
core/v0.10.0
core/v0.10.1
core/v0.10.2
core/v0.10.3
core/v0.10.4
core/v0.10.5
core/v0.10.6
core/v0.10.7
core/v0.10.8
core/v0.11.0
core/v0.11.1
core/v0.11.2
core/v0.11.3
core/v0.11.4
core/v0.11.5
core/v0.11.6
core/v0.11.7
core/v0.11.8
core/v0.12.0
core/v0.12.1
core/v0.13.0
core/v0.13.1
core/v0.13.2
core/v0.13.3
core/v0.14.0
core/v0.4.4
core/v0.4.5
core/v0.5.0
core/v0.5.1
core/v0.5.2
core/v0.5.3
core/v0.5.4
core/v0.6.0
core/v0.6.1
core/v0.6.2
core/v0.6.3
core/v0.6.4
core/v0.6.5
core/v0.6.6
core/v0.6.7
core/v0.6.8
core/v0.7.0
core/v0.7.1
core/v0.7.2
core/v0.7.3
core/v0.7.4
core/v0.7.5
core/v0.8.0
core/v0.8.1
core/v0.8.2
core/v0.9.0
core/v0.9.1
core/v0.9.2
core/v0.9.3
flagd-proxy/v0.*
flagd-proxy/v0.2.0
flagd-proxy/v0.2.1
flagd-proxy/v0.2.10
flagd-proxy/v0.2.11
flagd-proxy/v0.2.12
flagd-proxy/v0.2.13
flagd-proxy/v0.2.2
flagd-proxy/v0.2.3
flagd-proxy/v0.2.4
flagd-proxy/v0.2.5
flagd-proxy/v0.2.6
flagd-proxy/v0.2.7
flagd-proxy/v0.2.8
flagd-proxy/v0.2.9
flagd-proxy/v0.3.0
flagd-proxy/v0.3.1
flagd-proxy/v0.3.2
flagd-proxy/v0.4.0
flagd-proxy/v0.4.1
flagd-proxy/v0.4.2
flagd-proxy/v0.5.0
flagd-proxy/v0.5.1
flagd-proxy/v0.5.2
flagd-proxy/v0.6.0
flagd-proxy/v0.6.1
flagd-proxy/v0.6.10
flagd-proxy/v0.6.11
flagd-proxy/v0.6.2
flagd-proxy/v0.6.3
flagd-proxy/v0.6.4
flagd-proxy/v0.6.5
flagd-proxy/v0.6.6
flagd-proxy/v0.6.7
flagd-proxy/v0.6.8
flagd-proxy/v0.6.9
flagd-proxy/v0.7.0
flagd-proxy/v0.7.1
flagd-proxy/v0.7.2
flagd-proxy/v0.7.3
flagd-proxy/v0.7.4
flagd-proxy/v0.7.5
flagd-proxy/v0.7.6
flagd-proxy/v0.8.0
flagd-proxy/v0.8.1
flagd-proxy/v0.8.2
flagd-proxy/v0.8.3
flagd-proxy/v0.9.0
flagd/v0.*
flagd/v0.10.0
flagd/v0.10.1
flagd/v0.10.2
flagd/v0.10.3
flagd/v0.11.0
flagd/v0.11.1
flagd/v0.11.2
flagd/v0.11.3
flagd/v0.11.4
flagd/v0.11.5
flagd/v0.11.6
flagd/v0.11.7
flagd/v0.11.8
flagd/v0.12.0
flagd/v0.12.1
flagd/v0.12.2
flagd/v0.12.3
flagd/v0.12.4
flagd/v0.12.5
flagd/v0.12.6
flagd/v0.12.7
flagd/v0.12.8
flagd/v0.12.9
flagd/v0.13.0
flagd/v0.13.1
flagd/v0.13.2
flagd/v0.13.3
flagd/v0.14.0
flagd/v0.14.1
flagd/v0.4.4
flagd/v0.4.5
flagd/v0.5.0
flagd/v0.5.1
flagd/v0.5.2
flagd/v0.5.3
flagd/v0.5.4
flagd/v0.6.0
flagd/v0.6.1
flagd/v0.6.2
flagd/v0.6.3
flagd/v0.6.4
flagd/v0.6.5
flagd/v0.6.6
flagd/v0.6.7
flagd/v0.6.8
flagd/v0.7.0
flagd/v0.7.1
flagd/v0.7.2
flagd/v0.8.0
flagd/v0.8.1
flagd/v0.8.2
flagd/v0.9.0
flagd/v0.9.1
flagd/v0.9.2
kube-flagd-proxy/v0.*
kube-flagd-proxy/v0.1.1
kube-flagd-proxy/v0.1.2
v0.*
v0.0.1
v0.0.2
v0.0.2-1
v0.0.3
v0.0.4
v0.0.5
v0.0.6
v0.0.7
v0.0.8
v0.0.9
v0.1.0
v0.1.1
v0.2.0
v0.2.1
v0.2.2
v0.2.3
v0.2.4
v0.2.5
v0.2.7
v0.3.0
v0.3.1
v0.3.2
v0.3.3
v0.3.4
v0.3.5
v0.3.6
v0.3.7
v0.4.0
v0.4.1
v0.4.2

Database specific

source 
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-31866.json"