CVE-2026-23536 HIGH

CVE-2026-23536: Feast: unauthenticated arbitrary file read

Vendor Red Hat
Product Red Hat OpenShift AI (RHOAI)
Weakness CWE-22 · Path traversal
Published March 20, 2026
Last update June 30, 2026

CVSS base score

7.5/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality High
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

What the vulnerability does

01Description

A security issue was discovered in the Feast Feature Server's `/read-document` endpoint that allows an unauthenticated remote attacker to read any file accessible to the server process. By sending a specially crafted HTTP POST request, an attacker can bypass intended access restrictions to potentially retrieve sensitive system files, application configurations, and credentials.

Key dates

02Disclosure timeline

March 20, 2026 CVE published
June 30, 2026 Record updated

Related vulnerabilities

04Related CVE