CVE-2026-48050

HIGHPre-NVD 0.0
0.0
EchelonGraph verdictMonitorLow exploitation likelihood right now — keep watching.
  • No confirmed exploitation signals yet
CISA-KEV: Not listedEPSS: 0%CVSS: Exploit: NoneExposed: 0

No vendor fix yet — apply a workaround or compensating control (WAF / firewall / segmentation) and watch for a patch.

Arc: Unauthenticated access to Go debug pprof endpoints leaks runtime state and enables CPU-burn DoS

Summary

Arc registers Go's net/http/pprof handlers at /debug/pprof/* via app.Use(pprof.New()) in internal/api/server.go, and /debug/pprof is added to PublicPrefixes in cmd/arc/main.go. The auth middleware short-circuits before the token check on prefix match, so the endpoints are reachable without any authentication.

Impact

Any network-reachable caller (no token required) can:

  • Fetch /debug/pprof/heap — leaks in-memory state: live SQL strings, decoded msgpack records, decompressed request bodies, cached *TokenInfo (the auth cache keys on SHA-256 of the plaintext token at auth.go:543).
  • Fetch /debug/pprof/goroutine?debug=2 — leaks call stacks, identifying internal code paths.
  • Fetch /debug/pprof/profile?seconds=N — pins a CPU core for arbitrary duration. Trivial DoS amplification (one short HTTP request → minutes of server CPU).
  • Fetch /debug/pprof/trace — long-duration execution trace, similar DoS profile.

No authentication, no rate limiting, no resource bound on the seconds parameter.

Patches

https://github.com/Basekick-Labs/arc/releases/tag/v26.06.1

Planned mitigation:

  • Gate pprof registration behind an env var (ARC_DEBUG_PPROF=1) that defaults to off.
  • When enabled, bind pprof to a separate localhost-only listener (127.0.0.1:6060 via dedicated net/http server) so it's never reachable from the public API port.
  • Remove /debug/pprof from PublicPrefixes.
  • Fix the HasPrefix bug where "/debug/pprofX" matches "/debug/pprof".

Workarounds

  • Block /debug/pprof* at a reverse proxy / load balancer in front of Arc.
  • Restrict Arc's API port to known-trusted networks via firewall rules.
  • Patch the running build: comment out app.Use(pprof.New()) in internal/api/server.go and rebuild.

Credits

Reported by Alex Manson (@NeuroWinter, https://neurowinter.com/) on 2026-05-19.

CVSS v3
EG Score
0.0(none)
EPSS
25.8%
KEV
Not listed

Published

June 11, 2026

Last Modified

June 11, 2026

Vendor Advisories for CVE-2026-48050(1)

These vendors published their own advisory mentioning this CVE — often with vendor-specific remediation steps + affected product lists not in NVD.

Affected Packages

(1 across 1 ecosystem)
Go(1)
PackageVulnerable rangeFixed inDependents
github.com/basekick-labs/arc0.0.0-20260520170331-32a4091fb949

Data Freshness Timeline

(refreshed 0× in last 7d / 5× in last 30d)

Each row is a source pipeline that fetched or updated this CVE on that date, with what changed. For example, "NVD update" means NVD published or revised its analysis for this CVE; "MITRE cvelistV5" means we ingested or refreshed it from the CNA feed. Most recent first.

  1. 2026-06-14 23:18 UTCEPSS rescore
  2. 2026-06-14 22:47 UTCEG score recompute
  3. 2026-06-13 23:00 UTCEPSS rescore
  4. 2026-06-12 23:12 UTCEPSS rescore
  5. 2026-06-11 17:56 UTCEG score recompute

Frequently asked(4)

What is CVE-2026-48050?
CVE-2026-48050 is a high vulnerability published on June 11, 2026. Arc: Unauthenticated access to Go debug pprof endpoints leaks runtime state and enables CPU-burn DoS Summary Arc registers Go's net/http/pprof handlers at /debug/pprof/* via app.Use(pprof.New()) in internal/api/server.go, and /debug/pprof is added to PublicPrefixes in cmd/arc/main.go. The auth…
When was CVE-2026-48050 disclosed?
CVE-2026-48050 was first published in the National Vulnerability Database on June 11, 2026. EchelonGraph re-ingests CVE updates from NVD on a 2-hour cycle, so this page reflects the latest published state.
Is CVE-2026-48050 actively exploited?
CVE-2026-48050 is not currently on CISA's Known Exploited Vulnerabilities catalog. FIRST EPSS estimates a 25.8% percentile likelihood of exploitation in the next 30 days — higher percentiles indicate greater predicted risk.
How do I remediate CVE-2026-48050?
Patch to the fixed version published by the affected vendor. Where vendor advisories exist for CVE-2026-48050, EchelonGraph cross-links them in the Vendor Advisories panel below — those typically contain the canonical remediation steps, fixed version numbers, and any vendor-specific mitigations.

Dependency Blast Radius

See which npm, PyPI, Go, and Maven packages are affected by CVE-2026-48050

Explore →

Is Your Infrastructure Affected by CVE-2026-48050?

EchelonGraph automatically scans your cloud infrastructure and maps CVE exposure using blast radius analysis.