CVE-2026-42303: Ethyca Fides has a Privacy Request Identity Verification Bypass Vulnerability via Duplicate Detection

Fides deployments that enable both subject identity verification and duplicate privacy request detection are affected by a vulnerability in which an administrator can approve a privacy request whose identity was never verified. For erasure policies, this can result in unauthorized deletion of a data subject’s records across every integration configured in the affected deployment.

A related lower-severity denial-of-service issue, in which an unauthenticated attacker could prevent a legitimate data subject from completing their own privacy requests, is also patched in the fix for this vulnerability.