CVE-2026-59955
Java Analyse et atténuation des vulnérabilités

Aperçu

CVE-2026-59955 is an authentication bypass vulnerability in Apollo ConfigService that allows unauthenticated remote attackers to read raw configuration data by exploiting incorrect appId parsing in the raw config file endpoint. The flaw affects all versions of com.ctrip.framework.apollo:apollo (Maven) up to and including 2.5.1, and was published on July 12–13, 2026. It carries a CVSS v3.1 base score of 7.5 (High) (GitHub Advisory, Apollo Advisory).

Détails techniques

The root cause is improper input validation (CWE-20) combined with improper authentication (CWE-287) in Apollo ConfigService's authentication logic for the /configfiles/raw/{appId}/{clusterName}/{namespace} endpoint. When processing authentication for this path, ConfigService incorrectly parsed the appId as the literal string "raw" — the first path segment after /configfiles/ — rather than the actual {appId} value in the URL. ConfigService then used this misidentified appId to look up available AccessKey secrets; if no AccessKey is registered for an application named "raw", the service finds no secrets and skips signature verification entirely, even when AccessKey or management key authentication is properly configured for the real target application. A related non-canonical appId matching issue is tracked separately under GHSA-4w3q-qpfq-v992 (GitHub Advisory, Apollo Advisory).

Impact

Successful exploitation allows an unauthenticated remote attacker to read raw configuration data from any application hosted on a vulnerable Apollo ConfigService instance, even when AccessKey or management key authentication is enabled. Configuration data in Apollo typically contains sensitive application settings such as database credentials, API keys, service endpoints, and other secrets, making this a significant confidentiality breach. There is no integrity or availability impact, but exposed credentials could enable lateral movement into downstream systems (GitHub Advisory, Apollo Advisory).

Étapes d’exploitation

  1. Reconnaissance: Identify internet-facing or network-accessible Apollo ConfigService instances (default port 8080) running versions ≤ 2.5.1, using tools like Shodan, Censys, or internal network scanning.
  2. Identify target application: Determine a valid {appId}, {clusterName}, and {namespace} for a target application registered in the Apollo instance (e.g., via exposed Apollo Portal UI or known naming conventions).
  3. Craft malicious request: Send an unauthenticated HTTP GET request to the raw config endpoint using the known appId: GET /configfiles/raw/{appId}/{clusterName}/{namespace} — without any AccessKey signature headers.
  4. Authentication bypass triggered: ConfigService parses the appId as "raw" instead of the actual {appId}, finds no AccessKey secrets for an app named "raw", and skips signature verification.
  5. Retrieve configuration data: The server returns the raw configuration file contents for the target application, potentially exposing database credentials, API keys, and other sensitive secrets (GitHub Advisory, Apollo Advisory).

Indicateurs de compromis

  • Network: Unauthenticated HTTP GET requests to /configfiles/raw/{appId}/{clusterName}/{namespace} endpoints on Apollo ConfigService (port 8080 by default) without Authorization or AccessKey signature headers; unusual volume of requests to this endpoint pattern from external or unexpected IP addresses.
  • Logs: Apollo ConfigService access logs showing requests to /configfiles/raw/ paths that succeed (HTTP 200) without accompanying authentication headers; absence of signature validation log entries for requests that return configuration data.
  • Process/Application: ConfigService logs indicating appId lookup returning no secrets for appId "raw" followed by a successful configuration data response for a different application's namespace.

Atténuation et solutions de contournement

The fix is available in Apollo 2.5.2, which validates ConfigService AccessKey app IDs correctly during client authentication (commit 310809d). Users should upgrade to Apollo 2.5.2 or later immediately by deploying updated executables in the order: apollo-configservice, apollo-adminservice, then apollo-portal. No schema changes are required when upgrading from v2.5.1. As a temporary workaround prior to upgrading, operators may consider restricting network access to the ConfigService /configfiles/raw/ endpoint via firewall rules or reverse proxy ACLs (Apollo Release, Apollo Advisory).

Réactions de la communauté

The vulnerability was discovered and reported by researchers zhou-youyou and Jarvis-Huanglz, and was published by Apollo maintainer nobodyiam on July 12, 2026. No significant broader media coverage or notable community commentary beyond the official advisory has been identified at this time (Apollo Advisory).

Ressources additionnelles


SourceCe rapport a été généré à l’aide de l’IA

Apparenté Java Vulnérabilités:

Identifiant CVE

Sévérité

Score

Technologies

Nom du composant

Exploit CISA KEV

A corrigé

Date de publication

CVE-2026-50270HIGH7.5
  • Java logoJava
  • com.datadoghq:dd-java-agent
NonOuiJul 15, 2026
CVE-2026-59955HIGH7.5
  • Java logoJava
  • com.ctrip.framework.apollo:apollo
NonOuiJul 15, 2026
CVE-2026-59954HIGH7.5
  • Java logoJava
  • com.ctrip.framework.apollo:apollo
NonNonJul 15, 2026
CVE-2026-44891HIGH7.5
  • Java logoJava
  • pinot
NonOuiJul 14, 2026
CVE-2025-32781MEDIUM6.5
  • Java logoJava
  • com.ctrip.framework.apollo:apollo
NonOuiJul 15, 2026

Évaluation gratuite des vulnérabilités

Évaluez votre posture de sécurité dans le cloud

Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.

Demander une évaluation

Obtenez une démo personnalisée

Prêt(e) à voir Wiz en action ?

"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
David EstlickRSSI
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
Adam FletcherChef du service de sécurité
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."
Greg PoniatowskiResponsable de la gestion des menaces et des vulnérabilités