Unauthorized File Write Vulnerability in Feast Feature Server
CVE-2026-23537
9.1CRITICAL
What is CVE-2026-23537?
A vulnerability exists in the Feast Feature Server that enables unauthenticated remote attackers to write arbitrary JSON files to the server’s filesystem via the /save-document endpoint. Although mechanisms are in place to limit file location access, these can be circumvented, allowing attackers to overwrite critical application configurations and startup scripts. This flaw does not require any credentials or elevated privileges, meaning that any attacker with network access could potentially compromise system integrity, leading to unauthorized modifications, disk exhaustion, or even remote code execution.
Affected Version(s)
Feast Feature Server 0 < 0.59.0
References
CVSS V3.1
Score:
9.1
Severity:
CRITICAL
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged
Timeline
Vulnerability published
Vulnerability Reserved
Credit
This issue was discovered by Jitendra Yejare (Red Hat).
