HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-44541Published Modified CNA GitHub_M

CVE-2026-44541: Fides: DOM-based XSS vulnerability in fides.js via fides_description override

Fides is an open-source privacy engineering platform. From version 2.33.0 to before version 2.84.5, there is a DOM-based XSS vulnerability in fides.js via the fides_description override. This issue has been patched in version 2.84.5.

Metrics

CVSS v4.0
7.0
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

DOM-based cross-site scripting (XSS) is present in the Fides open-source privacy engineering platform, specifically in the fides.js library via the fides_description override, affecting versions 2.33.0 through 2.84.5. The vulnerability is reachable over the network with no authentication required, though successful exploitation depends on a specific precondition being met in the target environment. A successful attack grants the attacker high integrity and confidentiality impact on the system scope, enabling script injection that can modify page content and exfiltrate data from affected browser sessions. HarborGuard tracks this advisory and will make a patched-image rebuild available for environments running an affected version as soon as version 2.84.5 is confirmed in upstream package feeds.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: CVE-2026-44541 is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle the affected fides.js library. Any image in a connected registry or CI pipeline that contains a vulnerable version of ethyca/fides is flagged automatically.

Available
Triage

HarborGuard surfaces this CVE with its CVSS v4.0 score of 7.0 (HIGH), weighted against each customer organization's active compliance policy to determine escalation priority. Findings are routed to the appropriate team inbox within the customer org based on image ownership and policy configuration.

Available
Patch

Because no fix version has been confirmed in upstream package feeds at the time of publication, HarborGuard re-checks the advisory each ingest cycle and will make a patched-image rebuild available the moment version 2.84.5 is indexed upstream. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will trigger automatically at that point.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable fides.js code is served over the network, so an attacker must be able to reach the affected web endpoint to deliver the malicious fides_description payload.

  • AuthenticationNot required

    No account or credentials are needed; the fides_description override can be supplied by an unauthenticated party.

  • Victim interactionNot required

    No user action such as clicking a link or opening a file is needed to trigger the DOM-based XSS once the payload is in place.

  • Attack complexityDetail

    While the basic exploit requires no complex conditions, the AT:P token indicates a specific precondition in the deployment environment must be present for the attack to succeed, making exploitation opportunistic rather than universally reliable.

Blast Radius

  • An attacker can inject arbitrary JavaScript into pages rendered by fides.js, rewriting visible page content seen by users interacting with the privacy consent UI.
  • Injected scripts can read and exfiltrate session tokens, cookies, or form input captured in the browser context of the affected page.
  • Because the integrity impact is scoped to the system (SC:H, SI:H), the attacker can silently alter consent records or privacy preference submissions sent from the browser.
  • Confidentiality impact at system scope (SC:H) means sensitive data surfaced through the Fides consent interface is exposed to the attacker-controlled script.

How HarborGuard Handles This

Available on HarborGuard: this CVE is actively monitored each ingest cycle because no fix version has been confirmed in upstream package feeds at the time of publication. The moment version 2.84.5 is indexed, a patched-image rebuild becomes available automatically, and customers with auto-remediation enabled will receive a rebuild, a regression test run, and a PR opened against affected workloads with no manual intervention required. In the interim, compensating controls worth considering include network-policy isolation that restricts which origins can supply the fides_description parameter, content-security-policy headers that block inline script execution on pages loading fides.js, and feature-flag gating to disable the fides_description override entirely until a patched image is deployed. For high-severity findings like this one, the median time from upstream fix publication to a merged patch PR is around 90 minutes for environments with auto-remediation enabled.

See how HarborGuard automates this
Affected packages
  • ethyca / fides
    >= 2.33.0, < 2.84.5
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N
References