CVE-2026-42303
MEDIUM
6,1
Source: [email protected]
Attack Vector: network
Attack Complexity: low
Privileges Required: none
User Interaction: active
Confidentiality: N/A
Integrity: N/A
Availability: N/A
Description
AI Translation Available
Fides is an open-source privacy engineering platform. From 2.75.0 to before 2.83.2, Fides deployments that enable both subject identity verification and duplicate privacy request detection are affected by a vulnerability in which an administrator can approve a privacy request whose identity was never verified. For erasure policies, this can result in unauthorized deletion of a data subject's records across every integration configured in the affected deployment. This vulnerability is fixed in 2.83.2.
288
Authentication Bypass Using an Alternate Path or Channel
IncompleteCommon Consequences
Security Scopes Affected:
Access Control
Potential Impacts:
Bypass Protection Mechanism
Applicable Platforms
Technologies:
Not Technology-Specific, Web Based
306
Missing Authentication for Critical Function
DraftCommon Consequences
Security Scopes Affected:
Access Control
Other
Potential Impacts:
Gain Privileges Or Assume Identity
Varies By Context
Applicable Platforms
Technologies:
Cloud Computing, ICS/OT
841
Improper Enforcement of Behavioral Workflow
IncompleteCommon Consequences
Security Scopes Affected:
Other
Potential Impacts:
Alter Execution Logic
Applicable Platforms
All platforms may be affected
https://github.com/ethyca/fides/security/advisories/GHSA-qx5f-ghc2-7g5c
https://github.com/ethyca/fides/commit/0e320b20934eb5af3a3d5127dba2691605d7ff37
https://github.com/ethyca/fides/commit/e7a6527b0f9fdc9887b86a89bb5453e7421882dd
https://github.com/ethyca/fides/pull/7971
https://github.com/ethyca/fides/pull/7972
https://github.com/ethyca/fides/releases/tag/2.83.2
https://github.com/ethyca/fides/security/advisories/GHSA-qx5f-ghc2-7g5c