CVE-2026-0650 CRITICAL

CVE-2026-0650: OpenFlagr <= 1.1.18 Authentication Bypass via Prefix Whitelist Path Normalization

Vendor Openflagr
Product Flagr
Weakness CWE-306 · Missing auth
Published January 7, 2026
Last update January 7, 2026

CVSS base score

9.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

OpenFlagr versions prior to and including 1.1.18 contain an authentication bypass vulnerability in the HTTP middleware. Due to improper handling of path normalization in the whitelist logic, crafted requests can bypass authentication and access protected API endpoints without valid credentials. Unauthorized access may allow modification of feature flags and export of sensitive data.

Key dates

02Disclosure timeline

January 7, 2026 CVE published
January 7, 2026 Record updated