CVE-2026-46689
Received Received - Intake
Stack Overflow in Kanidm SCIM v1 Endpoint

Publication date: 2026-06-10

Last updated on: 2026-06-11

Assigner: GitHub, Inc.

Description
Kanidm is an identity management platform. Prior to version 1.9.3, a single unauthenticated GET to any /scim/v1/... endpoint with a ?filter= query string of a few thousand nested parentheses (β‰ˆ 4–12 KB) drives the recursive-descent PEG parser past the worker thread's stack guard page. Rust responds to stack overflow with std::process::abort() β€” the entire kanidmd process exits. The parse runs inside axum's Query<ScimEntryGetQuery> extractor, before any handler body and therefore before any ACL check. This issue has been patched in version 1.9.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-10
Last Modified
2026-06-11
Generated
2026-06-11
AI Q&A
2026-06-11
EPSS Evaluated
N/A
NVD
CVE-2026-46689
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
kanidm kanidm to 1.9.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-248 An exception is thrown from a function, but it is not caught.
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.
CWE-674 The product does not properly control the amount of recursion that takes place, consuming excessive resources, such as allocated memory or the program stack.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Kanidm, an identity management platform, prior to version 1.9.3. An unauthenticated attacker can send a single GET request to any /scim/v1/... endpoint with a specially crafted ?filter= query string containing a few thousand nested parentheses (approximately 4–12 KB). This causes the recursive-descent PEG parser to exceed the worker thread's stack guard page, leading to a stack overflow.

When the stack overflow occurs, Rust's standard library responds by aborting the entire kanidmd process. The parsing happens before any access control checks, meaning the attack can be performed without authentication.

This issue has been fixed in Kanidm version 1.9.3.

Impact Analysis

The vulnerability can cause a denial of service (DoS) by crashing the kanidmd process whenever a maliciously crafted request is received. Since the process aborts on stack overflow, the service becomes unavailable until it is restarted.

Because the attack requires no authentication and occurs before any access control checks, an attacker can easily disrupt the identity management service, potentially impacting availability and reliability.

Mitigation Strategies

The vulnerability has been patched in Kanidm version 1.9.3. Immediate mitigation involves upgrading Kanidm to version 1.9.3 or later.

Compliance Impact

This vulnerability causes the kanidmd process to abort when processing a specially crafted unauthenticated request, resulting in a denial of service.

Since the denial of service occurs before any access control checks, it could potentially disrupt availability of the identity management service.

However, there is no information provided about any data breach, unauthorized data access, or data loss related to this vulnerability.

Therefore, while this issue may impact service availability, there is no direct indication that it affects compliance with data protection regulations such as GDPR or HIPAA.

Detection Guidance

This vulnerability can be detected by monitoring for unexpected crashes or restarts of the kanidmd process, as the vulnerability causes the process to abort upon receiving a specially crafted GET request.

Specifically, an unauthenticated GET request to any /scim/v1/... endpoint with a ?filter= query string containing a few thousand nested parentheses (approximately 4–12 KB in size) triggers the issue.

To detect attempts to exploit this vulnerability, you can use network monitoring tools or web server logs to identify such suspicious GET requests.

  • Use tools like tcpdump or Wireshark to capture HTTP GET requests to /scim/v1/ endpoints with large filter query parameters.
  • Example tcpdump command to capture HTTP GET requests to /scim/v1/:
  • tcpdump -i <interface> -A 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep 'GET /scim/v1/'
  • Check kanidmd process logs or system logs for unexpected process aborts or crashes.
  • Use monitoring tools to alert on kanidmd process restarts.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46689. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart