CVE-2026-59955

Source
https://cve.org/CVERecord?id=CVE-2026-59955
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-59955.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-59955
Aliases
Published
2026-07-15T16:26:05.005Z
Modified
2026-07-17T03:46:37.664764911Z
Severity
  • 7.5 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
Apollo ConfigService access key authentication bypass via raw config file appId parsing
Details

Apollo is a reliable configuration management system suitable for microservice configuration management scenarios. Prior to 2.5.2, Apollo ConfigService may allow unauthorized access to raw configuration data when AccessKey or management key authentication is enabled because requests under /configfiles/raw/{appId}/{clusterName}/{namespace} are parsed for authentication as appId raw instead of the actual path appId, causing ConfigService to look up AccessKey secrets for raw before verifying the request signature and potentially continue without signature verification for the target appId. This issue is fixed in version 2.5.2.

Database specific
{
    "cwe_ids": [
        "CWE-20",
        "CWE-287"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/59xxx/CVE-2026-59955.json",
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/apolloconfig/apollo

Affected ranges

Type
GIT
Repo
https://github.com/apolloconfig/apollo
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Fixed
Database specific
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "2.5.2"
        }
    ],
    "source": [
        "AFFECTED_FIELD",
        "REFERENCES"
    ]
}

Affected versions

0.*
0.6.2
v0.*
v0.10.0
v0.10.1
v0.10.2
v0.11.0
v0.5.0
v0.6.0
v0.6.3
v0.7.0
v0.8.0
v0.9.0
v0.9.1
v1.*
v1.0.0
v1.1.0
v1.1.1
v1.2.0
v1.3.0
v1.4.0
v1.5.0
v1.6.0
v1.7.0
v1.8.0
v1.9.0
v2.*
v2.0.0
v2.0.0-RC1
v2.0.1
v2.1.0
v2.2.0
v2.3.0
v2.4.0
v2.5.0
v2.5.1

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-59955.json"