HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-46689Published Modified CNA GitHub_M

CVE-2026-46689: Kanidm: Unauthenticated process abort via SCIM filter stack exhaustion

Kanidm is an identity management platform. Prior to version 1.9.3, a single unauthenticated GET to any /scim/v1/... endpoint with a ?filter= query string of a few thousand nested parentheses (≈ 4–12 KB) drives the recursive-descent PEG parser past the worker thread's stack guard page. Rust responds to stack overflow with std::process::abort() — the entire kanidmd process exits. The parse runs inside axum's Query<ScimEntryGetQuery> extractor, before any handler body and therefore before any ACL check. This issue has been patched in version 1.9.3.

Metrics

CVSS v4.0
8.7
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A stack exhaustion (denial of service) vulnerability affects Kanidm, an identity management platform, in versions prior to 1.9.3. An attacker can reach the vulnerable endpoint over the network without any credentials and trigger the flaw by sending a single HTTP GET request with a deeply nested SCIM filter query string. Successful exploitation causes Rust's stack overflow handler to call std::process::abort(), crashing the entire kanidmd process and taking down identity services for all connected applications. A patched-image rebuild at version 1.9.3 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection capability is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images, including custom-built Kanidm images, in both registry scans and CI/CD pipeline checks. Any image running kanidm prior to 1.9.3 will surface as affected.

Available
Triage

HarborGuard scores this finding at CVSS 8.7 (HIGH) and can weight it further against each environment's compliance policy, for example elevating priority where Kanidm serves as a critical authentication provider. Triage alerts are routable to the team inbox or ticketing integration configured for each customer org.

Available
Patch

No fix version has been published upstream yet, so HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment version 1.9.3 or a later fix is released. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be triggered automatically without manual intervention.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the kanidmd service over the network; the vulnerable SCIM endpoint is exposed via HTTP, making any internet- or intranet-facing deployment a viable target.

  • AuthenticationNot required

    No credentials or session token are needed; the flaw is triggered inside the query-string extractor before any ACL or authentication check runs.

  • Victim interactionNot required

    No user action is required; the attacker sends a single crafted GET request and the abort is triggered server-side without any victim participation.

  • Attack complexityDetail

    Attack complexity is low: the exploit requires only a single HTTP request containing a few kilobytes of nested parentheses, with no race conditions, memory-layout dependencies, or environmental setup needed.

Blast Radius

  • Crashes the entire kanidmd process, immediately terminating all active authentication and identity management sessions.
  • Takes all applications that rely on Kanidm for SSO, LDAP, or SCIM provisioning offline until the process is manually restarted or a supervisor restarts it.
  • No data is read or modified, but service availability is completely eliminated for the duration of the outage.
  • Repeated single-request attacks can sustain a continuous denial of service, preventing recovery without network-level filtering.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-46689 is active across all customer registry and pipeline scans, flagging any kanidm image below version 1.9.3 as HIGH severity. Because no fix version has been published upstream yet, HarborGuard monitors the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix is released. For customers with auto-remediation enabled, the rebuilt image will immediately enter a regression test run and a PR will be opened against affected workloads, with a typical median time from CVE publication to merged patch PR of around 90 minutes for HIGH-severity issues once an upstream fix exists. In the interim, compensating controls worth considering include network-policy rules that restrict access to SCIM endpoints to trusted source CIDRs, an ingress or reverse-proxy layer that enforces a maximum query-string length (rejecting requests above a few hundred bytes on the filter parameter), and feature-flag or routing-level disabling of the /scim/v1/ path if SCIM provisioning is not actively in use.

See how HarborGuard automates this
Affected packages
  • kanidm / kanidm
    < 1.9.3
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N
References