Analysis and contextual insights are available on OpenCVE Cloud.
No vendor fix or workaround currently provided.
Additional remediation guidance may be available on OpenCVE Cloud.
Tracking
Sign in to view the affected projects.
| Source | ID | Title |
|---|---|---|
Github GHSA |
GHSA-jxpj-9j24-w337 | Apollo Portal: There is a risk of unauthorized access to the Apollo configuration center |
Wed, 15 Jul 2026 22:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Apolloconfig
Apolloconfig apollo |
|
| Vendors & Products |
Apolloconfig
Apolloconfig apollo |
Wed, 15 Jul 2026 18:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
ssvc
|
Wed, 15 Jul 2026 17:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Apollo is a reliable configuration management system suitable for microservice configuration management scenarios. Prior to 2.5.0, Apollo Portal does not verify application and namespace permissions when an authenticated user requests a release by ID through GET /envs/{env}/releases/{releaseId} while configView.memberOnly.envs is enabled, allowing a low-privileged Portal user who obtains or guesses a valid releaseId to read configuration data from other applications and namespaces without calling UserPermissionValidator.shouldHideConfigToCurrentUser(...). This issue is fixed in version 2.5.0. | |
| Title | Apollo: Apollo Portal release endpoint allows cross-application configuration disclosure via releaseId | |
| Weaknesses | CWE-639 CWE-862 |
|
| References |
| |
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-07-15T17:29:51.557Z
Reserved: 2025-04-10T12:51:12.278Z
Link: CVE-2025-32781
Updated: 2026-07-15T17:29:48.073Z
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-15T22:30:06Z
Github GHSA