GHSA-6m8w-jc87-6cr7 · Severity: high · Ecosystem: go — OPA server Data API HTTP path injection of Rego
Open Policy Agent (OPA) is an open source, general-purpose policy engine. Prior to version 1.4.0, when run as a server, OPA exposes an HTTP Data API for reading and writing documents. Requesting a virtual document through the Data API entails policy evaluation, where a Rego query containing a single data document reference is constructed from the requested path. This query is then used for policy evaluation. A HTTP request path can be crafted in a way that injects Rego code into the constructed query. The evaluation result cannot be made to return any other data than what is generated by the requested path, but this path can be misdirected, and the injected Rego code can be crafted to make the query succeed or fail; opening up for oracle attacks or, given the right circumstances, erroneous policy decision results. Furthermore, the injected code can be crafted to be computationally expensive, resulting in a Denial Of Service (DoS) attack. This issue has been patched in version 1.4.0. A workaround involves having network access to OPA’s RESTful APIs being limited to `localhost` and/or trusted networks, unless necessary for production reasons.
Conclusion & alert: CVE-2025-46569 is rated Low Risk (30.9/100): CVSS High severity, with low exploitation likelihood (EPSS 0.02%). Mandatory action: Monitor for updates and reassess as exploit intelligence or EPSS changes.
Risk is dynamic; we continuously reassess and refresh what is shown on this page as upstream context changes.
EPSS lead: Daily EPSS estimates relative likelihood of exploitation; percentile ranks this CVE among scored vulnerabilities (higher = more severe relative rank).
| # | Date | Old EPSS score | New EPSS score | Delta (New - Old) |
|---|---|---|---|---|
| 1 | 2026-06-09 | 0.06% | 0.02% | -0.05% |
| 2 | 2026-02-25 | 0.03% | 0.06% | +0.04% |
| 3 | 2025-11-21 | — | 0.03% | — |
Full EPSS history (5 records total)
CVSS metrics for this CVE.
| Base score | Version | Severity | Vector | Exploitability | Impact | Score source |
|---|---|---|---|---|---|---|
| 7.4 | 4.0 | HIGH |
|
— | — | [email protected] |
GHSA-6m8w-jc87-6cr7 · Severity: high · Ecosystem: go — OPA server Data API HTTP path injection of Rego
| vendor | priority | summary | link |
|---|---|---|---|
debian
|
unimportant | CVE-2025-46569 unimportant priority: Debian including 1 source packages (golang-github-open-policy-agent-opa), 2 status rows across 2 suites (forky, sid): resolved 2. | https://security-tracker.debian.org/tracker/CVE-2025-46569 |
redhat
|
high | — | https://access.redhat.com/security/cve/CVE-2025-46569 |
suse
|
high | CVE-2025-46569 severity important: SUSE including 35 source package names (2.2.1-5.22:libaudit1-3.1.1-slfo.1.1_2.1, 2.2.1-5.35:audit-3.1.1-slfo.1.1_2.1, …), 132 product×package rows across 52 product lines (Container suse/sl-micro/6.0/baremetal-os-container, Container suse/sl-micro/6.0/base-os-container, … (52 product lines)): Fixed 132. | https://www.suse.com/security/cve/CVE-2025-46569/ |
| Vendor | Product | Version | Raw CPE |
|---|---|---|---|
| No affected products in dataset. | |||