CVE Catalog

CVE-2026-11752

MediumCVSS 5.9
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.20%

10th percentile — higher than 10% of all known CVEs

Summary

A vulnerability has been identified in armeria-xds versions 1.38.0 through 1.39.0, where DataSourceStream in the xDS module can resolve control-plane-supplied filenames and environment variables without restriction.

Risk Assessment

The risk is that a compromised or semi-trusted xDS control plane can read arbitrary local files and environment variables on the xDS client host, potentially leading to the exposure of sensitive information.

Recommendation

It is recommended to upgrade to the latest version of armeria-xds to mitigate the risk associated with this vulnerability and to restrict access to the xDS control plane only to trusted sources.

Original NVD description (English source)

A vulnerability has been identified in armeria-xds versions 1.38.0 through 1.39.0, where DataSourceStream in the xDS module can resolve control-plane-supplied filenames and environment variables without restriction, allowing a compromised or semi-trusted xDS control plane to read arbitrary local files and environment variables on the xDS client host.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS