CVE-2025-8866

Summary

YugabyteDB Anywhere web server does not properly enforce authentication for the /metamaster/universe API endpoint. An unauthenticated attacker could exploit this flaw to obtain server networking configuration details, including private and public IP addresses and DNS records.

Affected Software

VendorProductVersion RangeStatus
YugabyteDB IncYugabyteDB Anywhere2025.*unaffected
YugabyteDB IncYugabyteDB Anywhere2024.*affected
YugabyteDB IncYugabyteDB Anywhere2.20.*affected

Weaknesses

  • CWE-200: CWE-200 Exposure of Sensitive Information to an Unauthorized Actor

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References