CVE-2026-59955:
Java Análisis y mitigación de vulnerabilidades
Vista general
CVE-2026-59955 is an authentication bypass vulnerability in Apollo ConfigService that allows unauthenticated remote attackers to read raw configuration data by exploiting incorrect appId parsing in the raw config file endpoint. The flaw affects all versions of com.ctrip.framework.apollo:apollo (Maven) up to and including 2.5.1, and was published on July 12–13, 2026. It carries a CVSS v3.1 base score of 7.5 (High) (GitHub Advisory, Apollo Advisory).
Técnicas
The root cause is improper input validation (CWE-20) combined with improper authentication (CWE-287) in Apollo ConfigService's authentication logic for the /configfiles/raw/{appId}/{clusterName}/{namespace} endpoint. When processing authentication for this path, ConfigService incorrectly parsed the appId as the literal string "raw" — the first path segment after /configfiles/ — rather than the actual {appId} value in the URL. ConfigService then used this misidentified appId to look up available AccessKey secrets; if no AccessKey is registered for an application named "raw", the service finds no secrets and skips signature verification entirely, even when AccessKey or management key authentication is properly configured for the real target application. A related non-canonical appId matching issue is tracked separately under GHSA-4w3q-qpfq-v992 (GitHub Advisory, Apollo Advisory).
Impacto
Successful exploitation allows an unauthenticated remote attacker to read raw configuration data from any application hosted on a vulnerable Apollo ConfigService instance, even when AccessKey or management key authentication is enabled. Configuration data in Apollo typically contains sensitive application settings such as database credentials, API keys, service endpoints, and other secrets, making this a significant confidentiality breach. There is no integrity or availability impact, but exposed credentials could enable lateral movement into downstream systems (GitHub Advisory, Apollo Advisory).
Pasos de explotación
- Reconnaissance: Identify internet-facing or network-accessible Apollo ConfigService instances (default port 8080) running versions ≤ 2.5.1, using tools like Shodan, Censys, or internal network scanning.
- Identify target application: Determine a valid
{appId},{clusterName}, and{namespace}for a target application registered in the Apollo instance (e.g., via exposed Apollo Portal UI or known naming conventions). - Craft malicious request: Send an unauthenticated HTTP GET request to the raw config endpoint using the known appId:
GET /configfiles/raw/{appId}/{clusterName}/{namespace}— without any AccessKey signature headers. - Authentication bypass triggered: ConfigService parses the appId as
"raw"instead of the actual{appId}, finds no AccessKey secrets for an app named"raw", and skips signature verification. - Retrieve configuration data: The server returns the raw configuration file contents for the target application, potentially exposing database credentials, API keys, and other sensitive secrets (GitHub Advisory, Apollo Advisory).
Indicadores de compromiso
- Network: Unauthenticated HTTP GET requests to
/configfiles/raw/{appId}/{clusterName}/{namespace}endpoints on Apollo ConfigService (port 8080 by default) withoutAuthorizationor AccessKey signature headers; unusual volume of requests to this endpoint pattern from external or unexpected IP addresses. - Logs: Apollo ConfigService access logs showing requests to
/configfiles/raw/paths that succeed (HTTP 200) without accompanying authentication headers; absence of signature validation log entries for requests that return configuration data. - Process/Application: ConfigService logs indicating appId lookup returning no secrets for appId
"raw"followed by a successful configuration data response for a different application's namespace.
Mitigación y soluciones alternativas
The fix is available in Apollo 2.5.2, which validates ConfigService AccessKey app IDs correctly during client authentication (commit 310809d). Users should upgrade to Apollo 2.5.2 or later immediately by deploying updated executables in the order: apollo-configservice, apollo-adminservice, then apollo-portal. No schema changes are required when upgrading from v2.5.1. As a temporary workaround prior to upgrading, operators may consider restricting network access to the ConfigService /configfiles/raw/ endpoint via firewall rules or reverse proxy ACLs (Apollo Release, Apollo Advisory).
Reacciones de la comunidad
The vulnerability was discovered and reported by researchers zhou-youyou and Jarvis-Huanglz, and was published by Apollo maintainer nobodyiam on July 12, 2026. No significant broader media coverage or notable community commentary beyond the official advisory has been identified at this time (Apollo Advisory).
Recursos adicionales
Fuente: Este informe se generó utilizando IA
Relacionado Java Vulnerabilidades:
Evaluación gratuita de vulnerabilidades
Compare su postura de seguridad en la nube
Evalúe sus prácticas de seguridad en la nube en 9 dominios de seguridad para comparar su nivel de riesgo e identificar brechas en sus defensas.
Recursos adicionales de Wiz
Obtén una demostración personalizada
¿Listo para ver a Wiz en acción?
"La mejor experiencia de usuario que he visto en mi vida, proporciona una visibilidad completa de las cargas de trabajo en la nube."
"Wiz proporciona un panel único para ver lo que ocurre en nuestros entornos en la nube."
"Sabemos que si Wiz identifica algo como crítico, en realidad lo es."