Descriptions

A vulnerability has been identified in armeria-xds versions 1.38.0 through 1.39.0, where DataSourceStream in the xDS module can resolve control-plane-supplied filenames and environment variables without restriction, allowing a compromised or semi-trusted xDS control plane to read arbitrary local files and environment variables on the xDS client host.

Severity

  • CVSSv4.0 Score: 5.9 (CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N)

Affected Versions

  • Armeria-xds 1.38.0 through 1.39.0

Fix

  • Armeria-xds should be updated to latest version (>= 1.40.0).

Reference

  • https://www.cve.org/CVERecord?id=CVE-2026-11752
  • https://github.com/line/armeria/security/advisories/GHSA-hgw6-8c77-v4gq

Updated: