CVE-2026-59955
Java Análisis y mitigación de vulnerabilidades

Vista general

CVE-2026-59955 is an authentication bypass vulnerability in Apollo ConfigService that allows unauthenticated remote attackers to read raw configuration data by exploiting incorrect appId parsing in the raw config file endpoint. The flaw affects all versions of com.ctrip.framework.apollo:apollo (Maven) up to and including 2.5.1, and was published on July 12–13, 2026. It carries a CVSS v3.1 base score of 7.5 (High) (GitHub Advisory, Apollo Advisory).

Técnicas

The root cause is improper input validation (CWE-20) combined with improper authentication (CWE-287) in Apollo ConfigService's authentication logic for the /configfiles/raw/{appId}/{clusterName}/{namespace} endpoint. When processing authentication for this path, ConfigService incorrectly parsed the appId as the literal string "raw" — the first path segment after /configfiles/ — rather than the actual {appId} value in the URL. ConfigService then used this misidentified appId to look up available AccessKey secrets; if no AccessKey is registered for an application named "raw", the service finds no secrets and skips signature verification entirely, even when AccessKey or management key authentication is properly configured for the real target application. A related non-canonical appId matching issue is tracked separately under GHSA-4w3q-qpfq-v992 (GitHub Advisory, Apollo Advisory).

Impacto

Successful exploitation allows an unauthenticated remote attacker to read raw configuration data from any application hosted on a vulnerable Apollo ConfigService instance, even when AccessKey or management key authentication is enabled. Configuration data in Apollo typically contains sensitive application settings such as database credentials, API keys, service endpoints, and other secrets, making this a significant confidentiality breach. There is no integrity or availability impact, but exposed credentials could enable lateral movement into downstream systems (GitHub Advisory, Apollo Advisory).

Pasos de explotación

  1. Reconnaissance: Identify internet-facing or network-accessible Apollo ConfigService instances (default port 8080) running versions ≤ 2.5.1, using tools like Shodan, Censys, or internal network scanning.
  2. Identify target application: Determine a valid {appId}, {clusterName}, and {namespace} for a target application registered in the Apollo instance (e.g., via exposed Apollo Portal UI or known naming conventions).
  3. Craft malicious request: Send an unauthenticated HTTP GET request to the raw config endpoint using the known appId: GET /configfiles/raw/{appId}/{clusterName}/{namespace} — without any AccessKey signature headers.
  4. Authentication bypass triggered: ConfigService parses the appId as "raw" instead of the actual {appId}, finds no AccessKey secrets for an app named "raw", and skips signature verification.
  5. Retrieve configuration data: The server returns the raw configuration file contents for the target application, potentially exposing database credentials, API keys, and other sensitive secrets (GitHub Advisory, Apollo Advisory).

Indicadores de compromiso

  • Network: Unauthenticated HTTP GET requests to /configfiles/raw/{appId}/{clusterName}/{namespace} endpoints on Apollo ConfigService (port 8080 by default) without Authorization or AccessKey signature headers; unusual volume of requests to this endpoint pattern from external or unexpected IP addresses.
  • Logs: Apollo ConfigService access logs showing requests to /configfiles/raw/ paths that succeed (HTTP 200) without accompanying authentication headers; absence of signature validation log entries for requests that return configuration data.
  • Process/Application: ConfigService logs indicating appId lookup returning no secrets for appId "raw" followed by a successful configuration data response for a different application's namespace.

Mitigación y soluciones alternativas

The fix is available in Apollo 2.5.2, which validates ConfigService AccessKey app IDs correctly during client authentication (commit 310809d). Users should upgrade to Apollo 2.5.2 or later immediately by deploying updated executables in the order: apollo-configservice, apollo-adminservice, then apollo-portal. No schema changes are required when upgrading from v2.5.1. As a temporary workaround prior to upgrading, operators may consider restricting network access to the ConfigService /configfiles/raw/ endpoint via firewall rules or reverse proxy ACLs (Apollo Release, Apollo Advisory).

Reacciones de la comunidad

The vulnerability was discovered and reported by researchers zhou-youyou and Jarvis-Huanglz, and was published by Apollo maintainer nobodyiam on July 12, 2026. No significant broader media coverage or notable community commentary beyond the official advisory has been identified at this time (Apollo Advisory).

Recursos adicionales


FuenteEste informe se generó utilizando IA

Relacionado Java Vulnerabilidades:

CVE ID

Severidad

Puntuación

Tecnologías

Nombre del componente

Exploit de CISA KEV

Tiene arreglo

Fecha de publicación

CVE-2026-50270HIGH7.5
  • Java logoJava
  • com.datadoghq:dd-java-agent
NoJul 15, 2026
CVE-2026-59955HIGH7.5
  • Java logoJava
  • com.ctrip.framework.apollo:apollo
NoJul 15, 2026
CVE-2026-59954HIGH7.5
  • Java logoJava
  • com.ctrip.framework.apollo:apollo
NoNoJul 15, 2026
CVE-2026-44891HIGH7.5
  • Java logoJava
  • pinot
NoJul 14, 2026
CVE-2025-32781MEDIUM6.5
  • Java logoJava
  • com.ctrip.framework.apollo:apollo
NoJul 15, 2026

Evaluación gratuita de vulnerabilidades

Compare su postura de seguridad en la nube

Evalúe sus prácticas de seguridad en la nube en 9 dominios de seguridad para comparar su nivel de riesgo e identificar brechas en sus defensas.

Solicitar evaluación

Recursos adicionales de Wiz

Obtén una demostración personalizada

¿Listo para ver a Wiz en acción?

"La mejor experiencia de usuario que he visto en mi vida, proporciona una visibilidad completa de las cargas de trabajo en la nube."
David EstlickCISO
"Wiz proporciona un panel único para ver lo que ocurre en nuestros entornos en la nube."
Adam FletcherJefe de Seguridad
"Sabemos que si Wiz identifica algo como crítico, en realidad lo es."
Greg PoniatowskiJefe de Gestión de Amenazas y Vulnerabilidades