7.5

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2026-31866

CVE-2026-31866: Allocation of Resources Without Limits or Throttling in flagd

flagd is a feature flag daemon with a Unix philosophy. Prior to 0.14.2, flagd exposes OFREP (/ofrep/v1/evaluate/...) and gRPC (evaluation.v1, evaluation.v2) endpoints for feature flag evaluation. These endpoints are designed to be publicly accessible by client applications. The evaluation context included in request payloads is read into memory without any size restriction. An attacker can send a single HTTP request with an arbitrarily large body, causing flagd to allocate a corresponding amount of memory. This leads to immediate memory exhaustion and process termination (e.g., OOMKill in Kubernetes environments). flagd does not natively enforce authentication on its evaluation endpoints. While operators may deploy flagd behind an authenticating reverse proxy or similar infrastructure, the endpoints themselves impose no access control by default. This vulnerability is fixed in 0.14.2.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2026-31866

CVE-2026-31866:

7.5

CVSS Score

3.1

-

CVSS Score

Basic Information

Is this CVE running in your environment?

Easily map the attack path and prioritize which CVEs are a threat to your organization

Validate Exposure

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
github.com/open-feature/flagd/flagd	go	< 0.14.2	0.14.2

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability lies in the absence of size limits on incoming HTTP request bodies for both the OFREP and gRPC/Connect evaluation endpoints. An attacker could send a request with an arbitrarily large body, causing the flagd process to allocate excessive memory, leading to a denial-of-service condition (OOM kill). The provided patch addresses this by introducing configurable limits for the maximum request body and header sizes. The core of the fix is the application of http.MaxBytesHandler to the HTTP servers for both the OFREP and Connect services. This middleware intercepts incoming requests and rejects any that exceed the configured body size limit before the request body is read into memory, thus preventing the memory exhaustion vulnerability. All evaluation endpoints under OFREP and gRPC/Connect were affected as the vulnerability existed at the transport layer.

Vulnerable functions

ofrep.handler.HandleFlagEvaluation

flagd/pkg/service/flag-evaluation/ofrep/ofrep_service.go

This function handles OFREP requests for single flag evaluations. It was vulnerable to excessive memory allocation because it processed request bodies without a size limit. An attacker could send an arbitrarily large request body, leading to a denial of service. The patch introduces `http.MaxBytesHandler` to enforce a limit on the request body size.

ofrep.handler.HandleBulkEvaluation

flagd/pkg/service/flag-evaluation/ofrep/ofrep_service.go

This function handles OFREP requests for bulk flag evaluations. It was vulnerable to excessive memory allocation because it processed request bodies without a size limit. An attacker could send an arbitrarily large request body, leading to a denial of service. The patch introduces `http.MaxBytesHandler` to enforce a limit on the request body size.

v1.Service.ResolveBoolean

flagd/pkg/service/flag-evaluation/connect_service.go

This gRPC/Connect method for boolean flag evaluation was exposed via an HTTP server that did not limit request body sizes. This allowed an attacker to send a large request, causing memory exhaustion and a denial of service. The patch, applied in `setupServer`, wraps the service handler with `http.MaxBytesHandler` to mitigate this.

v1.Service.ResolveString

flagd/pkg/service/flag-evaluation/connect_service.go

This gRPC/Connect method for string flag evaluation was exposed via an HTTP server that did not limit request body sizes. This allowed an attacker to send a large request, causing memory exhaustion and a denial of service. The patch, applied in `setupServer`, wraps the service handler with `http.MaxBytesHandler` to mitigate this.

v1.Service.ResolveFloat

flagd/pkg/service/flag-evaluation/connect_service.go

This gRPC/Connect method for float flag evaluation was exposed via an HTTP server that did not limit request body sizes. This allowed an attacker to send a large request, causing memory exhaustion and a denial of service. The patch, applied in `setupServer`, wraps the service handler with `http.MaxBytesHandler` to mitigate this.

v1.Service.ResolveInt

flagd/pkg/service/flag-evaluation/connect_service.go

This gRPC/Connect method for integer flag evaluation was exposed via an HTTP server that did not limit request body sizes. This allowed an attacker to send a large request, causing memory exhaustion and a denial of service. The patch, applied in `setupServer`, wraps the service handler with `http.MaxBytesHandler` to mitigate this.

v1.Service.ResolveObject

flagd/pkg/service/flag-evaluation/connect_service.go

This gRPC/Connect method for object flag evaluation was exposed via an HTTP server that did not limit request body sizes. This allowed an attacker to send a large request, causing memory exhaustion and a denial of service. The patch, applied in `setupServer`, wraps the service handler with `http.MaxBytesHandler` to mitigate this.

v1.Service.ResolveAll

flagd/pkg/service/flag-evaluation/connect_service.go

This gRPC/Connect method for resolving all flags was exposed via an HTTP server that did not limit request body sizes. This allowed an attacker to send a large request, causing memory exhaustion and a denial of service. The patch, applied in `setupServer`, wraps the service handler with `http.MaxBytesHandler` to mitigate this.

v2.Service.ResolveBoolean

flagd/pkg/service/flag-evaluation/connect_service.go

v2.Service.ResolveString

flagd/pkg/service/flag-evaluation/connect_service.go

v2.Service.ResolveFloat

flagd/pkg/service/flag-evaluation/connect_service.go

v2.Service.ResolveInt

flagd/pkg/service/flag-evaluation/connect_service.go

v2.Service.ResolveObject

flagd/pkg/service/flag-evaluation/connect_service.go

Vulnerability Intelligence
Miggo AI

Unlock WAF rules for this CVE

Generate vendor-ready rules for the observed attack patterns, plus reasoning and safe deployment guidance

Get WAF rules

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.