External risk intelligence

OpenFlagr Authentication Bypass via Path Normalization Vulnerability.

CVE advisorySeverity: CRITICAL (CVSS 9.3)

CVE-2026-0650

OpenFlagr is a feature management and A/B testing service. These tools are commonly deployed as centralized API services or web-based management portals intended to be accessed by various application environments and administrative users, often resulting in network-reachable web and API endpoints.

Missing Authentication

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This advisory highlights a critical vulnerability in OpenFlagr, a technology used for managing feature flags and A/B testing. The issue allows unauthenticated access to protected API endpoints, potentially leading to unauthorized modification of feature flags or the export of sensitive data. Understanding the scope of its use within your organization is key to assessing risk.

  • Bypass authentication to access sensitive features.
  • Impacts systems controlling application behavior.
  • Confirm if OpenFlagr is in use.

Attack Path

How an attacker could exploit the issue

An attacker could reach protected areas of OpenFlagr by sending specially crafted web requests. The system's handling of web addresses, specifically how it checks them against a list of allowed paths, can be tricked. This bypasses the need for a login, potentially allowing the attacker to alter feature settings or steal information.

  • Network access is required.
  • Crafted requests bypass authentication.
  • Unauthorized access to sensitive data.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an unauthenticated attacker to bypass access controls and reach protected API endpoints. This could lead to unauthorized modification of feature flags or the export of sensitive data.

  • API endpoints and feature flag configurations.
  • Crafted requests can bypass authentication.
  • Unauthorized modification or data export.

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability in OpenFlagr's HTTP middleware allows unauthenticated access to protected API endpoints through crafted requests, potentially leading to modification of feature flags and data exfiltration. The first practical step is to identify all instances of OpenFlagr, confirm their network exposure and business criticality, and assign ownership for remediation planning.

  • Ownership by application or platform teams.
  • Verify network exposure and criticality.
  • Plan remediation based on risk.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is OpenFlagr?

OpenFlagr is an open-source service used for feature management and A/B testing. It allows engineering teams to control application behavior dynamically by toggling features on or off without redeploying code. Because it acts as a centralized engine for these decisions, it is typically deployed as a web service or API that other internal systems communicate with to determine how users experience an application.

How does CVE-2026-0650 bypass authentication?

This vulnerability is an authentication bypass involving improper input validation, specifically CWE-306 and CWE-425. The software's HTTP middleware fails to correctly normalize web request paths when comparing them against a whitelist of allowed locations. An attacker can craft a specific URL that confuses this logic, causing the system to mistakenly treat a restricted API endpoint as an unprotected one, thereby granting unauthorized access without requiring valid credentials.

What triggers the OpenFlagr vulnerability?

The flaw is triggered when an attacker sends a specially crafted web request to the OpenFlagr server. It is important to note that the vulnerability does not trigger from standard, legitimate usage of the application's intended features. It specifically requires an adversary to manipulate the path structure of the request to exploit the underlying normalization logic flaw within the HTTP middleware.

Do I need to worry about this if my instance is internal?

Yes, you should evaluate the risk. According to Halo Surface Signal, OpenFlagr is often deployed as a centralized API service, making it highly likely that instances are network-reachable across various application environments. While an internet-facing instance is more easily targeted, any environment where unauthorized users or systems can send requests to the OpenFlagr API may be susceptible to this bypass.

How do I start responding to this CVE?

Your first step is to conduct an internal audit to identify all running instances of OpenFlagr within your infrastructure. Once identified, map out which instances are connected to the network and determine their business criticality. Assign ownership of these instances to the relevant platform or application teams so they can prepare for remediation and verify that your current deployment version is no longer vulnerable.

References