CVE-2026-11752
MediumCVSS 5.9Exploitation Probability (EPSS)
Low risk10th percentile — higher than 10% of all known CVEs
Summary
A vulnerability has been identified in armeria-xds versions 1.38.0 through 1.39.0, where DataSourceStream in the xDS module can resolve control-plane-supplied filenames and environment variables without restriction.
Risk Assessment
The risk is that a compromised or semi-trusted xDS control plane can read arbitrary local files and environment variables on the xDS client host, potentially leading to the exposure of sensitive information.
Recommendation
It is recommended to upgrade to the latest version of armeria-xds to mitigate the risk associated with this vulnerability and to restrict access to the xDS control plane only to trusted sources.
Original NVD description (English source)
A vulnerability has been identified in armeria-xds versions 1.38.0 through 1.39.0, where DataSourceStream in the xDS module can resolve control-plane-supplied filenames and environment variables without restriction, allowing a compromised or semi-trusted xDS control plane to read arbitrary local files and environment variables on the xDS client host.

