{"id":"CVE-2026-46689","summary":"Kanidm: Unauthenticated process abort via SCIM filter stack exhaustion","details":"Kanidm is an identity management platform. Prior to version 1.9.3, a single unauthenticated GET to any /scim/v1/... endpoint with a ?filter= query string of a few thousand nested parentheses (≈ 4–12 KB) drives the recursive-descent PEG parser past the worker thread's stack guard page. Rust responds to stack overflow with std::process::abort() — the entire kanidmd process exits. The parse runs inside axum's Query\u003cScimEntryGetQuery\u003e extractor, before any handler body and therefore before any ACL check. This issue has been patched in version 1.9.3.","aliases":["GHSA-r5fr-9gmv-jggh"],"modified":"2026-07-08T08:23:02.178385586Z","published":"2026-06-10T20:28:44.009Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46689.json","cwe_ids":["CWE-248","CWE-400","CWE-674"],"cna_assigner":"GitHub_M"},"references":[{"type":"WEB","url":"https://github.com/kanidm/kanidm/releases/tag/v1.9.3"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/46xxx/CVE-2026-46689.json"},{"type":"ADVISORY","url":"https://github.com/kanidm/kanidm/security/advisories/GHSA-r5fr-9gmv-jggh"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-46689"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/kanidm/kanidm","events":[{"introduced":"0"},{"fixed":"7d4108698caeb324bb27a9d83b081d5701760131"}],"database_specific":{"extracted_events":[{"introduced":"0"},{"fixed":"1.9.3"}],"source":["AFFECTED_FIELD","REFERENCES"]}}],"versions":["v1.9.2","v1.9.1","v1.9.0","v1.9.0-pre","v1.9.0-dev","v1.8.0-dev","v1.7.0-dev","1.7.0-dev","v1.6.0-dev","v1.5.0-dev","v1.4.0-dev","v1.3.0-dev","v1.1.0-rc.16","v1.1.0-rc.15-dev","v1.1.0-rc.15","debs","v1.1.0-beta.13","v1.1.0-alpha.12","v1.1.0-alpha.11","v1.1.0-alpha.10","v1.1.0-alpha.9","latest","v1.1.0-alpha.8","v1.1.0-alpha.7","v1.1.0-alpha.6","v1.1.0-alpha.5","v1.1.0-alpha.4","v1.1.0-alpha.3","v1.1.0-alpha.2","pam_kanidm-v1.1.0-alpha.2","nss_kanidm-v1.1.0-alpha.2","kanidm_unix_int-v1.1.0-alpha.2","kanidm_tools-v1.1.0-alpha.2","kanidm_proto-v1.1.0-alpha.2","kanidm_client-v1.1.0-alpha.2","kanidm-v1.1.0-alpha.2","v1.1.0alpha","v1.1.0-alpha","v1.0.0rc11","v1.0.0rc10","v1.0.0rc9","v1.0.0rc8","v1.0.0rc7","v1.0.0rc3","v1.0.0rc2","v1.0.0rc1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-46689.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V4","score":"CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N"}]}