Cyber Resilience

CVE-2026-31866

HighDDoS

Published: 11 March 2026

Published
11 March 2026
Modified
20 March 2026
KEV Added
Patch
CVSS Score v3.1 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
EPSS Score 0.0011 29.4th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-31866 is a high-severity Allocation of Resources Without Limits or Throttling (CWE-770) vulnerability in Openfeature Flagd. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Application or System Exploitation (T1499.004); ranked at the 29.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 SC-5 (Denial-of-service Protection) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-31866 is a denial-of-service vulnerability (CWE-770) in flagd, a feature flag daemon, affecting versions prior to 0.14.2. The issue stems from the OFREP (/ofrep/v1/evaluate/...) and gRPC (evaluation.v1, evaluation.v2) endpoints used for feature flag evaluation, which are designed for public access by client applications. These endpoints read the evaluation context from request payloads into memory without any size restrictions, enabling memory exhaustion. The vulnerability has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H) and was published on 2026-03-11.

Any network-accessible, unauthenticated attacker can exploit this vulnerability by sending a single HTTP request with an arbitrarily large body. This forces flagd to allocate a corresponding amount of memory, resulting in immediate memory exhaustion and process termination, such as OOMKill in Kubernetes environments. flagd lacks native authentication on these endpoints, though operators may mitigate exposure via reverse proxies.

The vulnerability is addressed in flagd 0.14.2. Security practitioners should upgrade to this version or later. Additional details are available in the GitHub security advisory (https://github.com/open-feature/flagd/security/advisories/GHSA-rmrf-g9r3-73pm) and the fixing commit (https://github.com/open-feature/flagd/commit/25c5fd7e80c26eb2c00b20317b2456fe6f927ea3), which recommend deploying flagd behind authenticating infrastructure where possible.

EU & UK References

Vulnerability details

flagd is a feature flag daemon with a Unix philosophy. Prior to 0.14.2, flagd exposes OFREP (/ofrep/v1/evaluate/...) and gRPC (evaluation.v1, evaluation.v2) endpoints for feature flag evaluation. These endpoints are designed to be publicly accessible by client applications. The evaluation context…

more

included in request payloads is read into memory without any size restriction. An attacker can send a single HTTP request with an arbitrarily large body, causing flagd to allocate a corresponding amount of memory. This leads to immediate memory exhaustion and process termination (e.g., OOMKill in Kubernetes environments). flagd does not natively enforce authentication on its evaluation endpoints. While operators may deploy flagd behind an authenticating reverse proxy or similar infrastructure, the endpoints themselves impose no access control by default. This vulnerability is fixed in 0.14.2.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1499.004 Application or System Exploitation Impact
Adversaries may exploit software vulnerabilities that can cause an application or system to crash and deny availability to users.
Why these techniques?

CVE enables direct exploitation of public endpoints to trigger application memory exhaustion and termination (DoS).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2021-47877Shared CWE-770
CVE-2026-3260Shared CWE-770
CVE-2025-66560Shared CWE-770
CVE-2025-68136Shared CWE-770
CVE-2020-37038Shared CWE-770
CVE-2025-36070Shared CWE-770
CVE-2021-47791Shared CWE-770
CVE-2021-47876Shared CWE-770
CVE-2019-25342Shared CWE-770
CVE-2026-44004Shared CWE-770

Affected Assets

openfeature
flagd
≤ 0.14.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

SC-5 directly mitigates the memory exhaustion DoS by requiring protections against resource denial from oversized request payloads on public endpoints.

prevent

SI-10 enforces validation of evaluation context payloads to reject arbitrarily large inputs before memory allocation occurs.

prevent

SI-9 restricts request body length and type to prevent unbounded memory consumption from large HTTP or gRPC payloads.

References