Unauthorized Access Vulnerability in Apollo Configuration Management System
CVE-2026-59954

7.5HIGH

Key Information:

Status
Vendor
CVE Published:
15 July 2026

What is CVE-2026-59954?

The Apollo ConfigService, a widely-used configuration management system for microservices, is vulnerable to an unauthorized access issue. This vulnerability occurs when the AccessKey or management key authentication is enabled, allowing malicious actors to exploit non-canonical appId variants during the authentication process. Such exploitation can lead to unauthorized retrieval of configuration data through the /configs and /configfiles endpoints. This flaw can affect users who may be unaware of accent-insensitive collation and PAD SPACE collation allowed by the application. Users are encouraged to upgrade to version 2.5.2 or later to mitigate any risks associated with this vulnerability.

Affected Version(s)

apollo < 2.5.2

References

CVSS V3.1

Score:
7.5
Severity:
HIGH
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.