CVE-2026-23538
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Summary
A vulnerability was identified in the Feast Feature Server's /ws/chat endpoint that allows remote attackers to establish persistent WebSocket connections without any authentication. By opening a large number of simultaneous connections, an attacker can exhaust server resources—such as memory, CPU, and file descriptors—leading to a complete denial of service for legitimate users.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Feast | Feast Feature Server | 0 < 0.59.0 | affected |
Weaknesses
- CWE-770: Allocation of Resources Without Limits or Throttling
Workarounds
Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.
References
- https://access.redhat.com/security/cve/CVE-2026-23538
- https://bugzilla.redhat.com/show_bug.cgi?id=2429311
- https://github.com/red-hat-data-services/feast/pull/192
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.