Apollo ConfigService Authentication Bypass via Raw Config File AppId Parsing
An authentication bypass vulnerability (CVE-2026-59955) in Apollo ConfigService allows unauthenticated remote attackers to read raw configuration data by exploiting an incorrect appId parsing logic for the raw config file endpoint, affecting versions prior to 2.5.2.
A critical authentication bypass vulnerability, tracked as CVE-2026-59955, has been identified in Apollo ConfigService versions prior to 2.5.2. This flaw allows unauthenticated remote attackers to gain unauthorized access to sensitive raw configuration data. The vulnerability arises when AccessKey / management key authentication is enabled, but the ConfigService incorrectly parses the appId for requests targeting the /configfiles/raw/{appId}/{clusterName}/{namespace} endpoint. Instead of recognizing the actual appId in the path, the service interprets it as the literal string "raw". If no AccessKey is specifically configured for an application named "raw", the service proceeds without verifying the request signature, effectively bypassing authentication for the intended target appId and leading to data exposure. This issue impacts organizations using vulnerable versions of Apollo ConfigService, potentially exposing critical system configurations and credentials.
Attack Chain
- An unauthenticated attacker identifies an internet-exposed Apollo ConfigService instance.
- The attacker crafts an HTTP GET request targeting the raw configuration file endpoint:
/configfiles/raw/{targetAppId}/{clusterName}/{namespace}. - The Apollo ConfigService, with AccessKey authentication enabled, receives the request and initiates the authentication parsing process.
- Due to the vulnerability, the service incorrectly extracts the
appIdas the literal string "raw" from the raw config file endpoint path, instead of the{targetAppId}specified by the attacker. - The service then attempts to look up AccessKey secrets associated with an application named "raw".
- If no AccessKey is found for an application literally named "raw" (which is often the case), the ConfigService bypasses the critical signature verification step.
- The service proceeds to process the request for the original
{targetAppId}, unknowingly granting unauthorized access. - The attacker successfully reads sensitive raw configuration data, which may contain API keys, database credentials, or other proprietary information.
Impact
Successful exploitation of CVE-2026-59955 allows unauthenticated remote attackers to read sensitive raw configuration data from affected Apollo ConfigService endpoints. This direct access to configuration details can lead to severe consequences, including credential compromise, intellectual property theft, further system compromise, and unauthorized data access. The exact number of victims is not publicly available, but organizations using vulnerable versions of Apollo ConfigService are at risk.
Recommendation
- Upgrade Apollo ConfigService to version 2.5.2 or later immediately to patch CVE-2026-59955.
- Review access logs for
/configfiles/rawendpoints for unusual or unauthenticated access patterns prior to patching.