CVE-2026-11752: Armeria: External Control of File Name or Path in xDS SDS DataSource

June 18, 2026 (updated June 19, 2026)

DataSourceStream in the :xds module resolves control-plane-supplied filename and environment_variable fields from SDS Secret resources without any allow-list or base-directory confinement. A semi-trusted or compromised xDS control plane (or an attacker who can MITM SDS responses) can read arbitrary local files and environment variables on the xDS client host.

Affected component: xds/src/main/java/com/linecorp/armeria/xds/DataSourceStream.java Introduced in: Armeria 1.38.0 (commit b199560b10, “Add support for SDS”, #6597) Affected versions: 1.38.0, 1.39.0

References

github.com/advisories/GHSA-hgw6-8c77-v4gq
github.com/line/armeria/security/advisories/GHSA-hgw6-8c77-v4gq
github.com/line/armeria/security/advisories/xds/src/main/java/com/linecorp/armeria/xds/DataSourceStream.java
nvd.nist.gov/vuln/detail/CVE-2026-11752

Code Behaviors & Features

Detect and mitigate CVE-2026-11752 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →