
PEACH
Un cadre d’isolation des locataires
CVE-2026-59954 is an access key authentication bypass vulnerability in Apollo ConfigService that allows unauthenticated remote attackers to read protected configuration data. The flaw affects Apollo versions up to and including 2.5.1 (Maven package com.ctrip.framework.apollo:apollo), and was published on July 12–13, 2026. It carries a CVSS v3.1 base score of 7.5 (High) (GitHub Advisory, Apollo Advisory).
The root cause is improper input validation and improper authentication (CWE-20, CWE-287) in how Apollo ConfigService extracts and validates the appId parameter from incoming configuration and notification requests. When ConfigService looks up AccessKey secrets for a given appId, it performs an exact cache key match; if an attacker supplies a non-canonical variant of the appId (e.g., an accent-modified string under an accent-insensitive database collation, or a trailing-space variant under a PAD SPACE collation), the cache lookup finds no secrets and skips signature verification entirely. However, the downstream release lookup still resolves the non-canonical variant to the real app's data because the database collation treats them as equivalent, effectively granting unauthenticated access to protected configuration. The attack requires no privileges or user interaction and is exploitable over the network (GitHub Advisory, Apollo Advisory).
A successful exploit allows an unauthenticated remote attacker to read sensitive configuration data from Apollo ConfigService endpoints — specifically those under /configs and /configfiles — even when AccessKey or management key authentication is enabled for the target application. Configuration data stored in Apollo may include database credentials, API keys, internal service endpoints, and other secrets, making this a high-confidentiality-impact vulnerability. There is no integrity or availability impact, but exposure of configuration secrets could enable lateral movement or further compromise of dependent services (GitHub Advisory, Apollo Advisory).
appId of a target application that has AccessKey authentication enabled (this may be discoverable via error messages, documentation, or other information leakage.appId that differs from the canonical form but will be treated as equivalent by the database — for example, by appending trailing spaces or substituting accented characters./configs/{non-canonical-appId}/{clusterName}/{namespaceName} or /configfiles/{non-canonical-appId}/{clusterName}/{namespaceName} without providing a valid AccessKey signature./configs/ or /configfiles/ endpoints on Apollo ConfigService from unknown or external IP addresses, particularly without valid Authorization or signature headers; requests using appId values with trailing spaces, accent characters, or other non-standard character variants.The vulnerability is fixed in Apollo 2.5.2, which validates ConfigService AccessKey app IDs during client authentication. Users should upgrade to Apollo 2.5.2 or later immediately. The upgrade from v2.5.1 to v2.5.2 requires no database schema changes — simply redeploy the updated executables in the order: apollo-configservice, apollo-adminservice, then apollo-portal. No configuration-based workaround is documented; upgrading is the recommended remediation (Apollo 2.5.2 Release, Apollo Advisory).
The vulnerability was discovered and reported by researchers zhou-youyou and Jarvis-Huanglz, and was published by Apollo maintainer nobodyiam on July 12, 2026. A related advisory (GHSA-h4pc-58cc-hc95) was split from this one to address a separate raw config file endpoint parsing issue, each receiving its own CVE. No broader media coverage or notable community commentary has been identified beyond the official advisory (Apollo Advisory).
Source: Ce rapport a été généré à l’aide de l’IA
Évaluation gratuite des vulnérabilités
Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.
Obtenez une démo personnalisée
"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."