CVE-2026-46689 - Vulnerability Details

- Kanidm: Unauthenticated process abort via SCIM filter stack exhaustion

Description

Kanidm is an identity management platform. Prior to version 1.9.3, a single unauthenticated GET to any /scim/v1/... endpoint with a ?filter= query string of a few thousand nested parentheses (≈ 4–12 KB) drives the recursive-descent PEG parser past the worker thread's stack guard page. Rust responds to stack overflow with std::process::abort() — the entire kanidmd process exits. The parse runs inside axum's Query<ScimEntryGetQuery> extractor, before any handler body and therefore before any ACL check. This issue has been patched in version 1.9.3.

Published: 2026-06-10

Score: 8.7 High

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

Kanidm identity management servers suffered a stack overflow in the SCIM filter parser when an unauthenticated GET request to any /scim/v1/... endpoint contained a query string with a few thousand nested parentheses. The parser runs before any access control checks, and the resulting stack exhaustion triggers Rust’s std::process::abort(), terminating the entire kanidmd process. The vulnerability leads to an unwarranted service interruption and is not exploitable for code execution or privilege escalation. The weakness falls under CWE‑400 (Uncontrolled Resource Consumption), CWE‑248 (Excessive Resource Consumption), and CWE‑674 (Unchecked Return Value/Uncontrolled Recursion).

Affected Systems

Any installation of Kanidm using a version earlier than 1.9.3—any variant of the kanidm product— is affected. An update to version 1.9.3 or later removes the recursive parser and eliminates the stack guard failure.

Risk and Exploitability

The CVSS v3 score of 8.7 classifies this issue as high severity. No EPSS score is currently reported, and the vulnerability is not listed in CISA’s KEV catalog, suggesting no confirmed exploits yet. Attackers can trigger the denial of service simply by sending a crafted, unauthenticated HTTP GET to the vulnerable SCIM endpoint, which is reachable over the network, implying a high likelihood of exploitation in hostile environments.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

kanidm

affected

Version	Status	Constraints
`< 1.9.3`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Kanidm to version 1.9.3 or later to remove the vulnerable parser code.
If an immediate upgrade is not possible, block or rate-limit external access to the /scim/v1/... endpoints and reject requests containing large or deeply nested "?filter=" query strings.
Configure the web server or application gateway to enforce a maximum query string length that prevents stack overflow, ensuring that any request exceeding the safe threshold is denied before reaching the application core.

Generated by OpenCVE AI on June 10, 2026 at 22:57 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-r5fr-9gmv-jggh	scim_proton and kanidm_proto have an authenticated process abort via SCIM filter stack exhaustion

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://github.com/kanidm/kanidm/releases/tag/v1.9.3
https://github.com/kanidm/kanidm/security/advisories/GHSA-r5fr-9gmv-jggh

History

Wed, 10 Jun 2026 21:00:00 +0000

Type	Values Removed	Values Added
Description		Kanidm is an identity management platform. Prior to version 1.9.3, a single unauthenticated GET to any /scim/v1/... endpoint with a ?filter= query string of a few thousand nested parentheses (≈ 4–12 KB) drives the recursive-descent PEG parser past the worker thread's stack guard page. Rust responds to stack overflow with std::process::abort() — the entire kanidmd process exits. The parse runs inside axum's Query<ScimEntryGetQuery> extractor, before any handler body and therefore before any ACL check. This issue has been patched in version 1.9.3.
Title		Kanidm: Unauthenticated process abort via SCIM filter stack exhaustion
Weaknesses		CWE-248 CWE-400 CWE-674
References		https://github.com/kanidm/kanidm/releases/tag/v1.9.3 https://github.com/kanidm/kanidm/security/advisories/GHSA-r5fr-9gmv-jggh
Metrics		cvssV4_0 `{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-06-10T20:28:44.009Z

Updated: 2026-06-10T20:28:44.009Z

Reserved: 2026-05-15T21:46:51.548Z

Link: CVE-2026-46689

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-06-10T22:17:00.443

Modified: 2026-06-10T22:17:00.443

Link: CVE-2026-46689

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-10T23:00:20Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Attack Requirements None

User Interaction None

Vulnerable System Confidentiality Impact None

Vulnerable System Integrity Impact None

Vulnerable System Availability Impact High

Subsequent System Confidentiality Impact None

Subsequent System Integrity Impact None

Subsequent System Availability Impact None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object