File Access Vulnerability in Armeria-xDS by Line Corporation
CVE-2026-11752

5.9MEDIUM

Key Information:

Vendor: Ly Corporation
Status: Armeria
Vendor: CVE Published:; 19 June 2026

🔔 Create Ly Corporation Vulnerability Alert

What is CVE-2026-11752?

A security flaw has been discovered in armeria-xds versions 1.38.0 through 1.39.0. The DataSourceStream component within the xDS module is susceptible to unauthorized file and environment variable access. This occurs when it resolves control-plane-supplied filenames and environment variables without proper restrictions. As a result, a compromised or trusted xDS control plane can read arbitrary local files and sensitive environment variables from the xDS client host, posing a significant risk of data exposure.

Affected Version(s)

Armeria 1.38.0 < 1.40.0

References

https://github.com/line/armeria/security/advisories/GHSA-...

CVSS V4

Score:

5.9

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 19, 2026
Vulnerability Reserved
Jun 9, 2026

CVE-2026-11752 Data

JSON