๐Ÿ” CVE Alert

CVE-2025-32781

MEDIUM 6.5

Apollo: Apollo Portal release endpoint allows cross-application configuration disclosure via releaseId

CVSS Score
6.5
EPSS Score
0.0%
EPSS Percentile
0th

Apollo is a reliable configuration management system suitable for microservice configuration management scenarios. Prior to 2.5.0, Apollo Portal does not verify application and namespace permissions when an authenticated user requests a release by ID through GET /envs/{env}/releases/{releaseId} while configView.memberOnly.envs is enabled, allowing a low-privileged Portal user who obtains or guesses a valid releaseId to read configuration data from other applications and namespaces without calling UserPermissionValidator.shouldHideConfigToCurrentUser(...). This issue is fixed in version 2.5.0.

CWE CWE-639 CWE-862
Vendor apolloconfig
Product apollo
Published Jul 15, 2026
Last Updated Jul 15, 2026
Stay Ahead of the Next One

Get instant alerts for apolloconfig apollo

Be the first to know when new medium vulnerabilities affecting apolloconfig apollo are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Affected Versions

apolloconfig / apollo
< 2.5.0

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/apolloconfig/apollo/security/advisories/GHSA-jxpj-9j24-w337 github.com: https://github.com/apolloconfig/apollo/pull/5378 github.com: https://github.com/apolloconfig/apollo/commit/362735ded4f13b62f6ab9df135d7096066e8e291 github.com: https://github.com/apolloconfig/apollo/releases/tag/v2.5.0