CVE-2026-42303

EUVD-2026-29705

12.05.2026, 18:17

Fides is an open-source privacy engineering platform. From 2.75.0 to before 2.83.2, Fides deployments that enable both subject identity verification and duplicate privacy request detection are affected by a vulnerability in which an administrator can approve a privacy request whose identity was never verified. For erasure policies, this can result in unauthorized deletion of a data subject's records across every integration configured in the affected deployment. This vulnerability is fixed in 2.83.2.

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
NIST	Primary	UNKNOWN				---

Awaiting analysis

This vulnerability is currently awaiting analysis.

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Common Weakness Enumeration

CWE-288 - Authentication Bypass Using an Alternate Path or Channel
A product requires authentication, but the product has an alternate path or channel that does not require authentication.

References

https://github.com/ethyca/fides/commit/0e320b20934eb5af3a3d5127dba2691605d7ff37

https://github.com/ethyca/fides/commit/e7a6527b0f9fdc9887b86a89bb5453e7421882dd

https://github.com/ethyca/fides/pull/7971

https://github.com/ethyca/fides/pull/7972

https://github.com/ethyca/fides/releases/tag/2.83.2

https://github.com/ethyca/fides/security/advisories/GHSA-qx5f-ghc2-7g5c