Kanidm: Unauthenticated process abort via SCIM filter stack exhaustion

8.7 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N

Description

Kanidm is an identity management platform. Prior to version 1.9.3, a single unauthenticated GET to any /scim/v1/... endpoint with a ?filter= query string of a few thousand nested parentheses (≈ 4–12 KB) drives the recursive-descent PEG parser past the worker thread's stack guard page. Rust responds to stack overflow with std::process::abort() — the entire kanidmd process exits. The parse runs inside axum's Query<ScimEntryGetQuery> extractor, before any handler body and therefore before any ACL check. This issue has been patched in version 1.9.3.

AI Analysis

Unauthenticated process abort via SCIM filter stack exhaustion

Basic Information

ID CVE-2026-46689

Source GitHub_M

Published Jun 10, 2026 at 20:28

Affected Product

Vendor kanidm

Product kanidm

Version < 1.9.3

Affected Versions kanidm kanidm < 1.9.3

CWE Classification

CWE-248 CWE-400 CWE-674

AI Assessment

AI Score 8.7 / 10

AI Severity High

Vendor Kanidm

Product Kanidm

Version < 1.9.3

References

{
    "lastseen": "",
    "description": "Kanidm is an identity management platform. Prior to version 1.9.3, a single unauthenticated GET to any /scim/v1/... endpoint with a ?filter= query string of a few thousand nested parentheses (\u2248 4\u201312 KB) drives the recursive-descent PEG parser past the worker thread's stack guard page. Rust responds to stack overflow with std::process::abort() \u2014 the entire kanidmd process exits. The parse runs inside axum's Query<ScimEntryGetQuery> extractor, before any handler body and therefore before any ACL check. This issue has been patched in version 1.9.3.",
    "published": "2026-06-10T20:28:44.009Z",
    "modified": "2026-06-10T20:28:44.009Z",
    "type": "cve",
    "title": "Kanidm: Unauthenticated process abort via SCIM filter stack exhaustion",
    "source": "GitHub_M",
    "references": "https://github.com/kanidm/kanidm/security/advisories/GHSA-r5fr-9gmv-jggh\nhttps://github.com/kanidm/kanidm/releases/tag/v1.9.3",
    "id": "CVE-2026-46689",
    "bulletinFamily": "",
    "cwe": [
        "CWE-248",
        "CWE-400",
        "CWE-674"
    ],
    "cvelist": null,
    "sourceData": "kanidm kanidm < 1.9.3",
    "sourceHref": "",
    "cvss": {
        "score": 8.7,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:H/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "kanidm",
    "version": "< 1.9.3",
    "vendor": "kanidm",
    "ai_description": "Unauthenticated process abort via SCIM filter stack exhaustion",
    "ai_severity": "High",
    "ai_vendor": "Kanidm",
    "ai_product": "Kanidm",
    "ai_version": "< 1.9.3",
    "ai_score": 8.7
}

Kanidm: Unauthenticated process abort via SCIM filter stack exhaustion_CVE-2026-46689