Unauthorized File Write Vulnerability in Feast Feature Server
CVE-2026-23537

9.1CRITICAL

Key Information:

Vendor

Feast

Vendor
CVE Published:
1 July 2026

What is CVE-2026-23537?

A vulnerability exists in the Feast Feature Server that enables unauthenticated remote attackers to write arbitrary JSON files to the server’s filesystem via the /save-document endpoint. Although mechanisms are in place to limit file location access, these can be circumvented, allowing attackers to overwrite critical application configurations and startup scripts. This flaw does not require any credentials or elevated privileges, meaning that any attacker with network access could potentially compromise system integrity, leading to unauthorized modifications, disk exhaustion, or even remote code execution.

Affected Version(s)

Feast Feature Server 0 < 0.59.0

References

CVSS V3.1

Score:
9.1
Severity:
CRITICAL
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

This issue was discovered by Jitendra Yejare (Red Hat).
.