Description
A vulnerability has been identified in armeria-xds versions 1.38.0 through 1.39.0, where DataSourceStream in the xDS module can resolve control-plane-supplied filenames and environment variables without restriction, allowing a compromised or semi-trusted xDS control plane to read arbitrary local files and environment variables on the xDS client host.
Published: 2026-06-19
Score: 5.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Armeria, the HTTP/2-based framework from LY Corporation, contains an issue in its xDS module between versions 1.38.0 and 1.39.0. The "DataSourceStream" component accepts file names and environment variable references that are supplied by the control‑plane side without any access checks. As a result, an attacker who can control or compromise the xDS control‑plane can request the client to resolve and read arbitrary files and environment variables on the host. The disclosed data may include configuration files, credentials, or other sensitive information, potentially allowing an attacker to gain insight into the system’s internal state or secrets.

Affected Systems

LY Corporation Armeria, versions 1.38.0 through 1.39.0, used by applications that rely on the xDS module for dynamic configuration.

Risk and Exploitability

The CVSS score of 5.9 indicates a moderate severity. EPSS data is not available, so the likelihood of exploit is not quantifiable from existing metrics, and the vulnerability is not listed in CISA’s KEV catalog. The attack vector requires the attacker to control or compromise the xDS control‑plane and have it communicate with an Armeria client; from there the client can read any local file or environment variable, providing potential disclosure of sensitive information.

Generated by OpenCVE AI on June 19, 2026 at 07:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Armeria to a patched release that resolves unrestricted file and environment variable resolution in the xDS module.
  • Configure the xDS control‑plane to require strong authentication and use a trusted, isolated network segment to prevent unauthorized control planes from reaching the client.
  • Review and restrict the set of environment variables exposed to the client and limit file access permissions for the Armeria process.

Generated by OpenCVE AI on June 19, 2026 at 07:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-hgw6-8c77-v4gq Armeria: External Control of File Name or Path in xDS SDS DataSource
History

Fri, 19 Jun 2026 07:45:00 +0000

Type Values Removed Values Added
Title Armeria xDS Module Arbitrary Local File and Environment Variable Read
Weaknesses CWE-200
CWE-22

Fri, 19 Jun 2026 06:15:00 +0000

Type Values Removed Values Added
Description A vulnerability has been identified in armeria-xds versions 1.38.0 through 1.39.0, where DataSourceStream in the xDS module can resolve control-plane-supplied filenames and environment variables without restriction, allowing a compromised or semi-trusted xDS control plane to read arbitrary local files and environment variables on the xDS client host.
References
Metrics cvssV4_0

{'score': 5.9, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: LY-Corporation

Published:

Updated: 2026-06-19T05:48:43.989Z

Reserved: 2026-06-09T06:50:06.220Z

Link: CVE-2026-11752

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T07:30:16Z

Weaknesses
  • CWE-200

    Exposure of Sensitive Information to an Unauthorized Actor

  • CWE-22

    Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')