{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/apollo-configservice--2.5.2/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Apollo ConfigService (\u003c 2.5.2)"],"_cs_severities":["high"],"_cs_tags":["authentication-bypass","data-exposure","vulnerability","cloud"],"_cs_type":"advisory","_cs_vendors":["Ctrip"],"content_html":"\u003cp\u003eA critical authentication bypass vulnerability, tracked as CVE-2026-59955, has been identified in Apollo ConfigService versions prior to 2.5.2. This flaw allows unauthenticated remote attackers to gain unauthorized access to sensitive raw configuration data. The vulnerability arises when AccessKey / management key authentication is enabled, but the ConfigService incorrectly parses the \u003ccode\u003eappId\u003c/code\u003e for requests targeting the \u003ccode\u003e/configfiles/raw/{appId}/{clusterName}/{namespace}\u003c/code\u003e endpoint. Instead of recognizing the actual \u003ccode\u003eappId\u003c/code\u003e in the path, the service interprets it as the literal string \u0026quot;raw\u0026quot;. If no AccessKey is specifically configured for an application named \u0026quot;raw\u0026quot;, the service proceeds without verifying the request signature, effectively bypassing authentication for the intended target \u003ccode\u003eappId\u003c/code\u003e and leading to data exposure. This issue impacts organizations using vulnerable versions of Apollo ConfigService, potentially exposing critical system configurations and credentials.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies an internet-exposed Apollo ConfigService instance.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts an HTTP GET request targeting the raw configuration file endpoint: \u003ccode\u003e/configfiles/raw/{targetAppId}/{clusterName}/{namespace}\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe Apollo ConfigService, with AccessKey authentication enabled, receives the request and initiates the authentication parsing process.\u003c/li\u003e\n\u003cli\u003eDue to the vulnerability, the service incorrectly extracts the \u003ccode\u003eappId\u003c/code\u003e as the literal string \u0026quot;raw\u0026quot; from the raw config file endpoint path, instead of the \u003ccode\u003e{targetAppId}\u003c/code\u003e specified by the attacker.\u003c/li\u003e\n\u003cli\u003eThe service then attempts to look up AccessKey secrets associated with an application named \u0026quot;raw\u0026quot;.\u003c/li\u003e\n\u003cli\u003eIf no AccessKey is found for an application literally named \u0026quot;raw\u0026quot; (which is often the case), the ConfigService bypasses the critical signature verification step.\u003c/li\u003e\n\u003cli\u003eThe service proceeds to process the request for the original \u003ccode\u003e{targetAppId}\u003c/code\u003e, unknowingly granting unauthorized access.\u003c/li\u003e\n\u003cli\u003eThe attacker successfully reads sensitive raw configuration data, which may contain API keys, database credentials, or other proprietary information.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-59955 allows unauthenticated remote attackers to read sensitive raw configuration data from affected Apollo ConfigService endpoints. This direct access to configuration details can lead to severe consequences, including credential compromise, intellectual property theft, further system compromise, and unauthorized data access. The exact number of victims is not publicly available, but organizations using vulnerable versions of Apollo ConfigService are at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade Apollo ConfigService to version 2.5.2 or later immediately to patch CVE-2026-59955.\u003c/li\u003e\n\u003cli\u003eReview access logs for \u003ccode\u003e/configfiles/raw\u003c/code\u003e endpoints for unusual or unauthenticated access patterns prior to patching.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-13T18:38:20Z","date_published":"2026-07-13T18:38:20Z","id":"https://feed.craftedsignal.io/briefs/2026-07-apollo-configservice-auth-bypass/","summary":"An authentication bypass vulnerability (CVE-2026-59955) in Apollo ConfigService allows unauthenticated remote attackers to read raw configuration data by exploiting an incorrect appId parsing logic for the raw config file endpoint, affecting versions prior to 2.5.2.","title":"Apollo ConfigService Authentication Bypass via Raw Config File AppId Parsing","url":"https://feed.craftedsignal.io/briefs/2026-07-apollo-configservice-auth-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed - Apollo ConfigService (\u003c 2.5.2)","version":"https://jsonfeed.org/version/1.1"}