CVE-2026-23537: Feast Feature Server unauthenticated arbitrary file write to RCE
CVE-2026-23537 is verified against feast-dev/feast · github affected versions: feast < 0.60.0 (the /save-document endpoint was introduced in v0.59.0 via PR #5865, commit 2081b55de32b830b4fb64e93b6d88cdfaeff2378) fixed version: 0.60.0 vulnerability class: RCE This critical reproduction includes runnable sandbox proof, artifacts, and a plain-text agent view under REPRO-2026-00244.
pruva-verify REPRO-2026-00244 curl -O https://pruva.dev/api/v1/reproductions/REPRO-2026-00244/artifacts/bundle/repro/reproduction_steps.sh && chmod +x reproduction_steps.sh && ./reproduction_steps.sh Feast Feature Server's /save-document endpoint allows unauthenticated remote attackers to write arbitrary JSON files to the server's filesystem. While the system attempts to restrict file locations, the restriction can be bypassed, enabling arbitrary file writes that can lead to remote code execution by overwriting configuration, code, or data files. Reproduce: run Feast Feature Server from a vulnerable version, send an unauthenticated POST to /save-document with a crafted path that bypasses the location restriction, and confirm the file is written on the server. Then leverage the write to execute code.
Variant analysis
The agent's step-by-step process — every tool call, every handoff, the moment the exploit fired. Phases: support triages the advisory · repro reproduces it · vuln_variant confirms the fix blocks it · judge verifies.
Loading session...
Scripts, logs, diffs, and output captured during the reproduction.