Description
flagd is a feature flag daemon with a Unix philosophy. Prior to 0.14.2, flagd exposes OFREP (/ofrep/v1/evaluate/...) and gRPC (evaluation.v1, evaluation.v2) endpoints for feature flag evaluation. These endpoints are designed to be publicly accessible by client applications. The evaluation context included in request payloads is read into memory without any size restriction. An attacker can send a single HTTP request with an arbitrarily large body, causing flagd to allocate a corresponding amount of memory. This leads to immediate memory exhaustion and process termination (e.g., OOMKill in Kubernetes environments). flagd does not natively enforce authentication on its evaluation endpoints. While operators may deploy flagd behind an authenticating reverse proxy or similar infrastructure, the endpoints themselves impose no access control by default. This vulnerability is fixed in 0.14.2.
Published: 2026-03-11
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service via Memory Exhaustion
Action: Immediate Patch
AI Analysis

Impact

The feature flag daemon flagd processes evaluation requests through its OFREP and gRPC endpoints. An attacker can submit an evaluation request with an arbitrarily large body, and flagd reads the payload into memory without imposing any size limit. This causes the daemon to allocate an equivalent amount of memory, leading to rapid memory exhaustion, process termination, or OOM killing in container environments. The vulnerability is a classic example of uncontrolled resource allocation (CWE-770) and results in denial of service to all clients that rely on the service.

Affected Systems

Affected installations are any deployments of open‑feature flagd with a version older than 0.14.2. The flaw exists in both the HTTP/OFREP and gRPC evaluation interfaces, which are by design publicly reachable if the operator does not enforce authentication. Deployments that expose these endpoints to untrusted networks run significant risk of resource exhaustion.

Risk and Exploitability

The CVSS score of 7.5 places this issue in the medium‑high range, and the EPSS score indicates it is not among the most frequently exploited vulnerabilities. It is not listed in CISA’s Known Exploited Vulnerabilities catalog. The likely attack vector is an attacker sending a single HTTP or gRPC request from an external network, as the endpoints lack authentication by default. A single malicious request is sufficient to trigger memory exhaustion, so the risk is considerable even in isolated environments.

Generated by OpenCVE AI on March 20, 2026 at 17:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade flagd to version 0.14.2 or later
  • If an upgrade cannot be applied immediately, place flagd behind a reverse proxy that limits request size or enforces authentication to prevent large payloads from reaching the daemon
  • Monitor memory usage of the flagd process and set alerts for unusual spikes that could indicate abuse

Generated by OpenCVE AI on March 20, 2026 at 17:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-rmrf-g9r3-73pm flagd Vulnerable to Allocation of Resources Without Limits or Throttling
History

Fri, 20 Mar 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Openfeature
Openfeature flagd
CPEs cpe:2.3:a:openfeature:flagd:*:*:*:*:*:*:*:*
Vendors & Products Openfeature
Openfeature flagd

Thu, 12 Mar 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 12 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Open-feature
Open-feature flagd
Vendors & Products Open-feature
Open-feature flagd

Wed, 11 Mar 2026 18:00:00 +0000

Type Values Removed Values Added
Description flagd is a feature flag daemon with a Unix philosophy. Prior to 0.14.2, flagd exposes OFREP (/ofrep/v1/evaluate/...) and gRPC (evaluation.v1, evaluation.v2) endpoints for feature flag evaluation. These endpoints are designed to be publicly accessible by client applications. The evaluation context included in request payloads is read into memory without any size restriction. An attacker can send a single HTTP request with an arbitrarily large body, causing flagd to allocate a corresponding amount of memory. This leads to immediate memory exhaustion and process termination (e.g., OOMKill in Kubernetes environments). flagd does not natively enforce authentication on its evaluation endpoints. While operators may deploy flagd behind an authenticating reverse proxy or similar infrastructure, the endpoints themselves impose no access control by default. This vulnerability is fixed in 0.14.2.
Title Allocation of Resources Without Limits or Throttling in flagd
Weaknesses CWE-770
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

Subscriptions

Open-feature Flagd
Openfeature Flagd
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-12T13:50:21.906Z

Reserved: 2026-03-09T19:02:25.013Z

Link: CVE-2026-31866

cve-icon Vulnrichment

Updated: 2026-03-12T13:50:18.423Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-11T18:16:25.460

Modified: 2026-03-20T16:21:07.993

Link: CVE-2026-31866

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-23T09:55:19Z

Weaknesses