Description
A vulnerability was identified in the Feast Feature Server's `/ws/chat` endpoint that allows remote attackers to establish persistent WebSocket connections without any authentication. By opening a large number of simultaneous connections, an attacker can exhaust server resources—such as memory, CPU, and file descriptors—leading to a complete denial of service for legitimate users.
Published: n/a
Score: 7.5 High
EPSS: n/a
KEV: No
Impact: Denial of Service
Action: Immediate Patch
AI Analysis

Impact

The flaw exists in Feast Feature Server’s /ws/chat WebSocket endpoint, where authentication is not required. An attacker can open many long‑lived connections, consuming memory, CPU and file descriptor resources, and ultimately cause the server to become unresponsive to legitimate users. This is a classic resource exhaustion weakness, identified as CWE-770.

Affected Systems

The product affected is Feast Feature Server. No specific version information was provided, so any deployment that exposes the /ws/chat endpoint without authentication may be vulnerable.

Risk and Exploitability

The CVSS score of 7.5 indicates a high severity risk. Although no exploit probability metric is available, the lack of authentication means the endpoint can be reached remotely with minimal prerequisites. The vulnerability is not listed in CISA’s Known Exploited Vulnerabilities catalog. Given the ability to connect from any network source and the critical impact on availability, the likelihood of exploitation is significant.

Generated by OpenCVE AI on March 21, 2026 at 07:33 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Feast Feature Server patch once it is available.
  • Configure infrastructure to limit concurrent WebSocket connections per client or IP, using firewall rules or load balancer policies.
  • Require authentication for the /ws/chat endpoint or implement rate limiting to reduce connection churning.
  • Monitor server resource metrics and set alerts for abnormal spikes in memory or CPU usage that may signal an ongoing attack.

Generated by OpenCVE AI on March 21, 2026 at 07:33 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 24 Mar 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Redhat
Redhat openshift Ai
Vendors & Products Redhat
Redhat openshift Ai

Sat, 21 Mar 2026 05:30:00 +0000

Type Values Removed Values Added
Description A vulnerability was identified in the Feast Feature Server's `/ws/chat` endpoint that allows remote attackers to establish persistent WebSocket connections without any authentication. By opening a large number of simultaneous connections, an attacker can exhaust server resources—such as memory, CPU, and file descriptors—leading to a complete denial of service for legitimate users.
Title feast: Resource exhaustion via WebSocket endpoint
Weaknesses CWE-770
References
Metrics threat_severity

None

 cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

threat_severity

Important

Subscriptions

Redhat Openshift Ai
cve-icon MITRE

No data.

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

Severity : Important

Publid Date: 2026-03-20T00:00:00Z

Links: CVE-2026-23538 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:35:09Z

Weaknesses