CVE-2026-0650
OpenFlagr <= 1.1.18 Authentication Bypass via Prefix Whitelist Path Normalization
CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th
OpenFlagr versions prior to and including 1.1.18 contain an authentication bypass vulnerability in the HTTP middleware. Due to improper handling of path normalization in the whitelist logic, crafted requests can bypass authentication and access protected API endpoints without valid credentials. Unauthorized access may allow modification of feature flags and export of sensitive data.
| CWE | CWE-306 CWE-425 |
| Vendor | openflagr |
| Product | flagr |
| Published | Jan 7, 2026 |
| Last Updated | Jul 14, 2026 |
Stay Ahead of the Next One
Get instant alerts for openflagr flagr
Be the first to know when new unknown vulnerabilities affecting openflagr flagr are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
Affected Versions
OpenFlagr / Flagr
0 โค 1.1.18
References
github.com: https://github.com/openflagr/flagr/releases/tag/1.1.19 dreyand.rs: https://dreyand.rs/code%20review/golang/2026/01/03/0day-speedrun-openflagr-less-1118-authentication-bypass vulncheck.com: https://www.vulncheck.com/advisories/openflagr-authentication-bypass-via-prefix-whitelist-path-normalization
Credits
DreyAnd