CVE-2026-11752

UNKNOWN NVD

CVSS Score 0

Severity UNKNOWN

Published Jun 19, 2026

Vendor unknown

Description

A vulnerability has been identified in armeria-xds versions 1.38.0 through 1.39.0, where DataSourceStream in the xDS module can resolve control-plane-supplied filenames and environment variables without restriction, allowing a compromised or semi-trusted xDS control plane to read arbitrary local files and environment variables on the xDS client host.

References

https://github.com/line/armeria/security/advisories/GHSA-hgw6-8c77-v4gq