CVE-2026-23538

HIGH
Published July 16, 2026

A vulnerability was identified in the Feast Feature Server's `/ws/chat` endpoint that allows remote attackers to establish persistent WebSocket connections without any authentication. By opening a large number of simultaneous connections, an attacker can exhaust server resources—such as memory,...

Full CISO analysis pending enrichment.

What systems are affected?

Package Ecosystem Vulnerable Range Patched
Jupyter pip No patch
13.2K OpenSSF 5.8 1.9K dependents Pushed 5d ago 52% patched ~26d to patch Full package profile →
Jupyter pip No patch
13.2K OpenSSF 5.8 1.9K dependents Pushed 5d ago 52% patched ~26d to patch Full package profile →
Jupyter pip No patch
13.2K OpenSSF 5.8 1.9K dependents Pushed 5d ago 52% patched ~26d to patch Full package profile →
Jupyter pip No patch
13.2K OpenSSF 5.8 1.9K dependents Pushed 5d ago 52% patched ~26d to patch Full package profile →
Jupyter pip No patch
13.2K OpenSSF 5.8 1.9K dependents Pushed 5d ago 52% patched ~26d to patch Full package profile →
Jupyter pip No patch
13.2K OpenSSF 5.8 1.9K dependents Pushed 5d ago 52% patched ~26d to patch Full package profile →
Feast Feature Server No patch
rhoai/odh-feature-server-rhel9 No patch
rhoai/odh-pipeline-runtime-datascience-cpu-py312-rhel9 No patch
rhoai/odh-pipeline-runtime-pytorch-cuda-py312-rhel9 No patch
rhoai/odh-pipeline-runtime-pytorch-llmcompressor-cuda-py312-rhel9 No patch
rhoai/odh-pipeline-runtime-pytorch-rocm-py312-rhel9 No patch
rhoai/odh-pipeline-runtime-tensorflow-cuda-py312-rhel9 No patch
rhoai/odh-pipeline-runtime-tensorflow-rocm-py312-rhel9 No patch
rhoai/odh-workbench-codeserver-datascience-cpu-py312-rhel9 No patch

How severe is it?

CVSS 3.1
7.5 / 10
EPSS
N/A
Exploitation Status
No known exploitation
Sophistication
N/A

What is the attack surface?

AV AC PR UI S C I A
AV Network
AC Low
PR None
UI None
S Unchanged
C None
I None
A High

What should I do?

No patch available

Monitor for updates. Consider compensating controls or temporary mitigations.

Which compliance frameworks are affected?

Compliance analysis pending. Sign in for full compliance mapping when available.

Frequently Asked Questions

What is CVE-2026-23538?

A vulnerability was identified in the Feast Feature Server's `/ws/chat` endpoint that allows remote attackers to establish persistent WebSocket connections without any authentication. By opening a large number of simultaneous connections, an attacker can exhaust server resources—such as memory, CPU, and file descriptors—leading to a complete denial of service for legitimate users.

Is CVE-2026-23538 actively exploited?

No confirmed active exploitation of CVE-2026-23538 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-23538?

No patch is currently available. Monitor vendor advisories for updates.

What is the CVSS score for CVE-2026-23538?

CVE-2026-23538 has a CVSS v3.1 base score of 7.5 (HIGH).

What are the technical details?

Original Advisory

A vulnerability was identified in the Feast Feature Server's `/ws/chat` endpoint that allows remote attackers to establish persistent WebSocket connections without any authentication. By opening a large number of simultaneous connections, an attacker can exhaust server resources—such as memory, CPU, and file descriptors—leading to a complete denial of service for legitimate users.

Weaknesses (CWE)

CWE-770 — Allocation of Resources Without Limits or Throttling: The product allocates a reusable resource or group of resources on behalf of an actor without imposing any intended restrictions on the size or number of resources that can be allocated.

  • [Requirements] Clearly specify the minimum and maximum expectations for capabilities, and dictate which behaviors are acceptable when resource allocation reaches limits.
  • [Architecture and Design] Limit the amount of resources that are accessible to unprivileged users. Set per-user limits for resources. Allow the system administrator to define these limits. Be careful to avoid CWE-410.

Source: MITRE CWE corpus.

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Timeline

Published
July 16, 2026
Last Modified
July 16, 2026
First Seen
July 16, 2026

Related Vulnerabilities