CVE-2026-59954

Source
https://cve.org/CVERecord?id=CVE-2026-59954
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-59954.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-59954
Aliases
Published
2026-07-15T16:27:48.825Z
Modified
2026-07-17T03:46:03.251615807Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
Apollo ConfigService access key authentication bypass via appId parsing and non-canonical matching
Details

Apollo is a reliable configuration management system suitable for microservice configuration management scenarios. Prior to 2.5.2, Apollo ConfigService may allow unauthorized access to configuration data when AccessKey or management key authentication is enabled because ConfigService can accept a non-canonical appId variant during authentication while downstream request handling resolves it to the protected app, including accent variants under accent-insensitive collations or trailing-space variants under PAD SPACE collations on /configs and /configfiles endpoints. This issue is fixed in version 2.5.2.

Database specific
{
    "cwe_ids": [
        "CWE-20",
        "CWE-287"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/59xxx/CVE-2026-59954.json",
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/apolloconfig/apollo

Affected ranges

Type
GIT
Repo
https://github.com/apolloconfig/apollo
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed
Database specific
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2.5.2"
        }
    ],
    "source": [
        "AFFECTED_FIELD",
        "REFERENCES"
    ]
}

Affected versions

0.*
0.6.2
v0.*
v0.10.0
v0.10.1
v0.10.2
v0.11.0
v0.5.0
v0.6.0
v0.6.3
v0.7.0
v0.8.0
v0.9.0
v0.9.1
v1.*
v1.0.0
v1.1.0
v1.1.1
v1.2.0
v1.3.0
v1.4.0
v1.5.0
v1.6.0
v1.7.0
v1.8.0
v1.9.0
v2.*
v2.0.0
v2.0.0-RC1
v2.0.1
v2.1.0
v2.2.0
v2.3.0
v2.4.0
v2.5.0
v2.5.1

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-59954.json"