GHSA-h4pc-58cc-hc95HighCVSS 7.5

Apollo ConfigService access key authentication bypass via raw config file appId parsing

Published
July 13, 2026
Last Modified
July 13, 2026

🔗 CVE IDs covered (1)

📋 Description

Summary

Apollo ConfigService may allow unauthorized access to raw configuration data when AccessKey / management key authentication is enabled because authentication parsed the appId incorrectly for the raw config file endpoint.

Details

Requests under /configfiles/raw/{appId}/{clusterName}/{namespace} were parsed for authentication as appId "raw" instead of the actual path appId. ConfigService used the parsed appId to look up available AccessKey secrets before verifying the request signature.

If no AccessKey is configured for an application literally named "raw", ConfigService may treat the request as having no available secrets and allow it to continue without signature verification, even when AccessKey / management key authentication is enabled for the actual target appId in the path.

Impact

An unauthenticated remote attacker may read raw configuration data from affected ConfigService endpoints when AccessKey / management key authentication is enabled for the target app and the attacker requests the raw config file endpoint.

Affected endpoints

The primary impact is on ConfigService raw config file reads under /configfiles/raw/{appId}/{clusterName}/{namespace}.

Status

Fixed in Apollo 2.5.2. Users should upgrade to Apollo 2.5.2 or later.

Related advisory

The non-canonical appId matching issue is tracked separately in GHSA-4w3q-qpfq-v992 so each independently fixable vulnerability can receive its own CVE.

🎯 Affected products1

  • maven/com.ctrip.framework.apollo:apollo:< 2.5.2

🔗 References (3)