HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-50638Published Modified CNA CPANSec

CVE-2026-50638: Metrics::Any::Adapter::DogStatsd versions before 0.04 for Perl does not protect against metric injections

Metrics::Any::Adapter::DogStatsd versions before 0.04 for Perl does not protect against metric injections. The statsd protocol (and extensions such as dogstatsd) allow mutiple metrics,separated by newlines, to be sent per packet. Metrics::Any::Adapter::DogStatsd which extends Metrics::Any::Adapter::Statsd, which has a similar vulnerability. In addition, the _tags function does not check tags for newlines or statsd control characters. The tags can be used for metric injections.

Metrics

CVSS v3.1
9.1
Severity
CRITICAL
Fixed in
0.04
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is a metric injection vulnerability in the Perl module Metrics::Any::Adapter::DogStatsd, affecting all versions before 0.04. The flaw is reachable over the network without any authentication and without requiring any victim interaction, because unsanitized newlines and statsd control characters in metric names and tags are forwarded directly into DogStatsd protocol packets. A successful attacker can forge arbitrary metrics or tamper with metric data sent to the monitoring backend, corrupting observability data and causing persistent misrepresentation of application telemetry. A patched-image rebuild at version 0.04 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-50638 is available across every HarborGuard environment: the CVE is ingested from upstream feeds (including CPANSec advisories) within minutes of publication and matched against all customer images, including custom-built images that bundle this Perl module. Any image layer containing Metrics::Any::Adapter::DogStatsd below 0.04 is flagged immediately.

Available
Triage

HarborGuard scores this CVE at CVSS 9.1 (Critical) and surfaces it accordingly in each customer environment, weighted against that environment's configured compliance policy. Alerts are routed to the appropriate team inbox based on ownership rules defined in each customer org.

Available
Patch

A patched-image rebuild pinned to Metrics::Any::Adapter::DogStatsd 0.04 is available on HarborGuard for any image found running an affected version. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs the configured regression test suite, and opens a pull request against affected workloads; median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes in environments with auto-remediation enabled.

Available

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable module accepts metric input over the network, so an attacker must be able to send data to the exposed DogStatsd ingestion path.

  • AuthenticationNot required

    No credentials or session token of any kind are required to supply crafted metric names or tags.

  • Victim interactionNot required

    Exploitation is fully passive from the victim side; no user action or click is needed to trigger the injection.

  • Attack complexityDetail

    The exploit is reliable and condition-free: the attacker simply embeds newlines or statsd control characters in metric names or tag values, with no race condition or special environmental setup required.

Blast Radius

  • An attacker forges arbitrary metric names and values in the DogStatsd stream, injecting synthetic telemetry into the monitoring backend.
  • Tag fields can be poisoned with control characters, corrupting dashboards, alerts, and automated anomaly-detection rules that depend on tag integrity.
  • Legitimate metrics can be shadowed or overwritten, causing on-call teams to act on false observability data during incidents.

How HarborGuard Handles This

Available on HarborGuard: images containing Metrics::Any::Adapter::DogStatsd below 0.04 are automatically identified during each scan cycle. For customers who opt into auto-remediation, a rebuilt image at version 0.04 is prepared, a regression test run is executed against the new layer, and a pull request is opened against affected workloads. Where compliance policy requires manual approval, the rebuilt image is staged and the finding is surfaced at Critical severity for immediate review. Because a fix is available, no interim workaround period is expected; however, customers who cannot apply the patch immediately should consider network-policy rules that restrict which services are permitted to write to the DogStatsd endpoint, reducing the exposure window until the patched image is deployed.

See how HarborGuard automates this

Fix available

0.04
Affected packages
  • PEVANS / Metrics::Any::Adapter::DogStatsd
    < 0.04 (from 0)
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
References