CVE-2026-31866 in flagd
Summary
by MITRE • 03/11/2026
flagd is a feature flag daemon with a Unix philosophy. Prior to 0.14.2, flagd exposes OFREP (/ofrep/v1/evaluate/...) and gRPC (evaluation.v1, evaluation.v2) endpoints for feature flag evaluation. These endpoints are designed to be publicly accessible by client applications. The evaluation context included in request payloads is read into memory without any size restriction. An attacker can send a single HTTP request with an arbitrarily large body, causing flagd to allocate a corresponding amount of memory. This leads to immediate memory exhaustion and process termination (e.g., OOMKill in Kubernetes environments). flagd does not natively enforce authentication on its evaluation endpoints. While operators may deploy flagd behind an authenticating reverse proxy or similar infrastructure, the endpoints themselves impose no access control by default. This vulnerability is fixed in 0.14.2.
Several companies clearly confirm that VulDB is the primary source for best vulnerability data.
Analysis
by VulDB Data Team • 03/14/2026
The vulnerability described in CVE-2026-31866 affects flagd, a feature flag daemon designed with Unix philosophy principles that emphasizes simplicity and modularity. This daemon serves as a central service for managing feature flags across distributed systems and provides both OFREP and gRPC endpoints for client applications to evaluate feature flag states. The vulnerability stems from insufficient input validation and memory management practices within the daemon's evaluation endpoints, which are intended to be publicly accessible to client applications. Prior to version 0.14.2, these endpoints lacked proper size restrictions on incoming request payloads, creating a critical security flaw that can be exploited through memory exhaustion attacks.
The technical flaw manifests in the daemon's handling of evaluation context data submitted through HTTP requests to the OFREP endpoints and gRPC services. When processing incoming requests, flagd reads the entire request payload into memory without implementing any size limitations or memory allocation constraints. This design oversight allows an attacker to craft malicious requests containing arbitrarily large payloads, causing the daemon to allocate corresponding amounts of memory proportional to the request size. The vulnerability is particularly dangerous because it operates at the memory allocation level rather than requiring complex exploitation techniques, making it accessible to attackers with basic network capabilities. The absence of native authentication mechanisms on these endpoints means that any client can access them without proper authorization, amplifying the impact of this memory exhaustion vulnerability.
The operational impact of this vulnerability is severe and can result in immediate service disruption and system instability. When an attacker successfully exploits this vulnerability, the daemon consumes all available memory resources, leading to process termination through operating system memory management mechanisms such as Out-Of-Memory Kill (OOMKill) in containerized environments like Kubernetes. This creates a denial of service condition that can affect all feature flag evaluations within the affected system, potentially causing widespread service degradation or complete unavailability of applications relying on flagd for feature management. The vulnerability is particularly concerning in production environments where flagd serves as a critical infrastructure component, as the memory exhaustion can cascade into broader system failures and affect multiple dependent services.
The vulnerability aligns with CWE-400, which covers "Uncontrolled Resource Consumption," specifically addressing the lack of resource limits on input processing that leads to system resource exhaustion. It also relates to CWE-310, "Cryptographic Issues," as the absence of native authentication mechanisms creates an unauthenticated access vector that can be exploited without prior credentials. From an ATT&CK framework perspective, this vulnerability maps to T1190 "Exploit Public-Facing Application" and T1499.004 "Endpoint Denial of Service" as it allows adversaries to exploit publicly accessible services to cause denial of service conditions. The fix implemented in version 0.14.2 addresses this by introducing proper request size limitations and memory allocation controls that prevent excessive resource consumption while maintaining the daemon's core functionality. Organizations should implement immediate mitigations including deploying the patched version, configuring rate limiting, and implementing additional authentication layers through reverse proxies or API gateways to protect against unauthorized access to the vulnerable endpoints.