CVE-2026-31866
📋 TL;DR
CVE-2026-31866 is a denial-of-service vulnerability in flagd feature flag daemon where unauthenticated attackers can send HTTP requests with arbitrarily large bodies to public evaluation endpoints, causing memory exhaustion and process termination. All flagd deployments with exposed evaluation endpoints are affected. This vulnerability exists because the daemon reads evaluation context into memory without size restrictions.
💻 Affected Systems
- flagd
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete service disruption through memory exhaustion leading to process termination, potentially causing cascading failures in dependent applications and requiring manual intervention to restart services.
Likely Case
Service disruption through memory exhaustion causing flagd process termination, breaking feature flag functionality for client applications until service is restarted.
If Mitigated
Minimal impact if endpoints are properly secured with authentication, rate limiting, and request size limits, or if deployed behind protective infrastructure.
🎯 Exploit Status
Exploitation requires only sending a single HTTP request with large body to vulnerable endpoints, making it trivial to weaponize.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 0.14.2
Vendor Advisory: https://github.com/open-feature/flagd/security/advisories/GHSA-rmrf-g9r3-73pm
Restart Required: Yes
Instructions:
1. Update flagd to version 0.14.2 or later. 2. Restart the flagd service. 3. Verify the new version is running.
🔧 Temporary Workarounds
Implement request size limits
allConfigure reverse proxy or load balancer to limit request body size
# Example nginx configuration: client_max_body_size 1M;
# Example Apache configuration: LimitRequestBody 1048576
Implement authentication
allDeploy flagd behind authenticating reverse proxy or implement authentication middleware
🧯 If You Can't Patch
- Deploy flagd behind reverse proxy with request size limits and authentication
- Implement network segmentation and firewall rules to restrict access to flagd endpoints
🔍 How to Verify
Check if Vulnerable:
Check flagd version: if version < 0.14.2 and OFREP/gRPC endpoints are exposed, system is vulnerable.Check Version:
flagd --versionVerify Fix Applied:
Verify flagd version is 0.14.2 or later and test that large request bodies are rejected.📡 Detection & Monitoring
Log Indicators:
- Memory exhaustion errors
- Process termination/OOMKill events
- Unusually large HTTP request bodies
Network Indicators:
- Large HTTP POST requests to /ofrep/v1/evaluate/* endpoints
- Large gRPC requests to evaluation.v1/v2 services
SIEM Query:
source="flagd" AND ("out of memory" OR "OOM" OR "killed")