
PEACH
Un cadre d’isolation des locataires
CVE-2026-59955 is an authentication bypass vulnerability in Apollo ConfigService that allows unauthenticated remote attackers to read raw configuration data by exploiting incorrect appId parsing in the raw config file endpoint. The flaw affects all versions of com.ctrip.framework.apollo:apollo (Maven) up to and including 2.5.1, and was published on July 12–13, 2026. It carries a CVSS v3.1 base score of 7.5 (High) (GitHub Advisory, Apollo Advisory).
The root cause is improper input validation (CWE-20) combined with improper authentication (CWE-287) in Apollo ConfigService's authentication logic for the /configfiles/raw/{appId}/{clusterName}/{namespace} endpoint. When processing authentication for this path, ConfigService incorrectly parsed the appId as the literal string "raw" — the first path segment after /configfiles/ — rather than the actual {appId} value in the URL. ConfigService then used this misidentified appId to look up available AccessKey secrets; if no AccessKey is registered for an application named "raw", the service finds no secrets and skips signature verification entirely, even when AccessKey or management key authentication is properly configured for the real target application. A related non-canonical appId matching issue is tracked separately under GHSA-4w3q-qpfq-v992 (GitHub Advisory, Apollo Advisory).
Successful exploitation allows an unauthenticated remote attacker to read raw configuration data from any application hosted on a vulnerable Apollo ConfigService instance, even when AccessKey or management key authentication is enabled. Configuration data in Apollo typically contains sensitive application settings such as database credentials, API keys, service endpoints, and other secrets, making this a significant confidentiality breach. There is no integrity or availability impact, but exposed credentials could enable lateral movement into downstream systems (GitHub Advisory, Apollo Advisory).
{appId}, {clusterName}, and {namespace} for a target application registered in the Apollo instance (e.g., via exposed Apollo Portal UI or known naming conventions).GET /configfiles/raw/{appId}/{clusterName}/{namespace} — without any AccessKey signature headers."raw" instead of the actual {appId}, finds no AccessKey secrets for an app named "raw", and skips signature verification./configfiles/raw/{appId}/{clusterName}/{namespace} endpoints on Apollo ConfigService (port 8080 by default) without Authorization or AccessKey signature headers; unusual volume of requests to this endpoint pattern from external or unexpected IP addresses./configfiles/raw/ paths that succeed (HTTP 200) without accompanying authentication headers; absence of signature validation log entries for requests that return configuration data."raw" followed by a successful configuration data response for a different application's namespace.The fix is available in Apollo 2.5.2, which validates ConfigService AccessKey app IDs correctly during client authentication (commit 310809d). Users should upgrade to Apollo 2.5.2 or later immediately by deploying updated executables in the order: apollo-configservice, apollo-adminservice, then apollo-portal. No schema changes are required when upgrading from v2.5.1. As a temporary workaround prior to upgrading, operators may consider restricting network access to the ConfigService /configfiles/raw/ endpoint via firewall rules or reverse proxy ACLs (Apollo Release, Apollo Advisory).
The vulnerability was discovered and reported by researchers zhou-youyou and Jarvis-Huanglz, and was published by Apollo maintainer nobodyiam on July 12, 2026. No significant broader media coverage or notable community commentary beyond the official advisory has been identified at this time (Apollo Advisory).
Source: Ce rapport a été généré à l’aide de l’IA
Évaluation gratuite des vulnérabilités
Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.
Obtenez une démo personnalisée
"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."