Description
Fides is an open-source privacy engineering platform. From 2.75.0 to before 2.83.2, Fides deployments that enable both subject identity verification and duplicate privacy request detection are affected by a vulnerability in which an administrator can approve a privacy request whose identity was never verified. For erasure policies, this can result in unauthorized deletion of a data subject's records across every integration configured in the affected deployment. This vulnerability is fixed in 2.83.2.
Published: 2026-05-12
Score: 6.1 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability allows an administrator who can approve privacy requests to bypass the subject identity verification process when duplicate request detection is enabled. The result is that erasure policies can be executed without ever confirming the user’s identity, leading to unauthorized removal of a data subject's records across all configured integrations. The weakness involves insufficient authentication and authorization controls, reflected by the CWEs listed.

Affected Systems

Ethyca Fides deployments in the open‑source privacy engineering platform, specifically versions from 2.75.0 up to, but not including, 2.83.2. Any installation that has both subject identity verification and duplicate privacy request detection enabled is vulnerable.

Risk and Exploitability

The CVSS score of 6.1 indicates a moderate severity vulnerability. With no EPSS score available and the vulnerability not listed in CISA KEV, the public exploitation likelihood is not quantified but is potentially low to moderate. The attack requires privileged administrator access; an attacker who gains such access or compromises an administrator account can exploit the flaw. Consequently, the risk is primarily systemic data loss rather than remote code execution.

Generated by OpenCVE AI on May 12, 2026 at 19:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to Fides 2.83.2 or later to apply the fixed code.
  • If immediate upgrade is not possible, disable duplicate privacy request detection or subject identity verification until the patch is applied.
  • Restrict administrator privileges and enforce strict authentication and authorization policies to limit the window of opportunity for an attacker to abuse this path.
  • Monitor audit logs for unauthorized privacy request approvals and deletions to detect any exploitation.

Generated by OpenCVE AI on May 12, 2026 at 19:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-qx5f-ghc2-7g5c Ethyca Fides has a Privacy Request Identity Verification Bypass Vulnerability via Duplicate Detection
History

Tue, 12 May 2026 23:45:00 +0000

Type Values Removed Values Added
First Time appeared Ethyca
Ethyca fides
Vendors & Products Ethyca
Ethyca fides

Tue, 12 May 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 12 May 2026 18:15:00 +0000

Type Values Removed Values Added
Description Fides is an open-source privacy engineering platform. From 2.75.0 to before 2.83.2, Fides deployments that enable both subject identity verification and duplicate privacy request detection are affected by a vulnerability in which an administrator can approve a privacy request whose identity was never verified. For erasure policies, this can result in unauthorized deletion of a data subject's records across every integration configured in the affected deployment. This vulnerability is fixed in 2.83.2.
Title Fides: Privacy Request Identity Verification Bypass Vulnerability via Duplicate Detection
Weaknesses CWE-288
CWE-306
CWE-841
References
Metrics cvssV4_0

{'score': 6.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:H/SA:N'}

Subscriptions

Ethyca Fides
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-12T18:40:09.815Z

Reserved: 2026-04-26T12:13:55.552Z

Link: CVE-2026-42303

cve-icon Vulnrichment

Updated: 2026-05-12T18:39:06.577Z

cve-icon NVD

Status : Received

Published: 2026-05-12T18:17:24.540

Modified: 2026-05-12T19:16:33.080

Link: CVE-2026-42303

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T23:30:26Z

Weaknesses