CVE-2022-36085
CVE-2022-36085 is a high-severity vulnerability in Openpolicyagent Open Policy Agent with a CVSS 3.x base score of 7.4. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-20.
Key facts
- Severity: High (CVSS 3.x base score 7.4)
- EPSS exploit prediction: 1% (66th percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-20
- Affected product: Openpolicyagent Open Policy Agent
- Published:
- Last modified:
Description
Open Policy Agent (OPA) is an open source, general-purpose policy engine. The Rego compiler provides a (deprecated) `WithUnsafeBuiltins` function, which allows users to provide a set of built-in functions that should be deemed unsafe — and as such rejected — by the compiler if encountered in the policy compilation stage. A bypass of this protection has been found, where the use of the `with` keyword to mock such a built-in function (a feature introduced in OPA v0.40.0), isn’t taken into account by `WithUnsafeBuiltins`. Multiple conditions need to be met in order to create an adverse effect. Version 0.43.1 contains a patch for this issue. As a workaround, avoid using the `WithUnsafeBuiltins` function and use the `capabilities` feature instead.
Frequently asked questions
- What is CVE-2022-36085?
- Open Policy Agent (OPA) is an open source, general-purpose policy engine. The Rego compiler provides a (deprecated) `WithUnsafeBuiltins` function, which allows users to provide a set of built-in functions that should be deemed unsafe — and as such rejected — by the compiler if encountered in the policy compilation stage. A bypass of this protection has been found, where the use of the `with` keyword to mock such a built-in function (a feature introduced in OPA v0.40.0), isn’t taken into account by `WithUnsafeBuiltins`. Multiple conditions need to be met in order to create an adverse effect. Version 0.43.1 contains a patch for this issue. As a workaround, avoid using the `WithUnsafeBuiltins` function and use the `capabilities` feature instead.
- How severe is CVE-2022-36085?
- CVE-2022-36085 has a CVSS 3.x base score of 7.4, rated high severity. It is exploitable over network with high attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity high, and availability none.
- Is CVE-2022-36085 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 1% (66th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2022-36085?
- CVE-2022-36085 affects Openpolicyagent Open Policy Agent. See the affected-products list for the exact vulnerable versions.
- How do I fix CVE-2022-36085?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround. Given its high severity, prioritise patching exposed systems.
- When was CVE-2022-36085 published?
- CVE-2022-36085 was published on 2022-09-08 and last updated on 2026-06-17.
References
- https://github.com/open-policy-agent/opa/commit/25a597bc3f4985162e7f65f9c36599f4f8f55823
- https://github.com/open-policy-agent/opa/commit/3e8c754ed007b22393cf65e48751ad9f6457fee8
- https://github.com/open-policy-agent/opa/pull/4540
- https://github.com/open-policy-agent/opa/pull/4616
- https://github.com/open-policy-agent/opa/releases/tag/v0.43.1
- https://github.com/open-policy-agent/opa/security/advisories/GHSA-f524-rf33-2jjr
Affected products (1)
- cpe:2.3:a:openpolicyagent:open_policy_agent:*:*:*:*:*:*:*:*
More vulnerabilities in Openpolicyagent Open Policy Agent
- CVE-2022-33082 — High (CVSS 7.5): An issue in the AST parser (ast/compile.go) of Open Policy Agent v0.10.2 allows attackers to cause a Denial of Service…
- CVE-2022-28946 — High (CVSS 7.5): An issue in the component ast/parser.go of Open Policy Agent v0.39.0 causes the application to incorrectly interpret…
- CVE-2022-23628 — Medium (CVSS 6.3): OPA is an open source, general-purpose policy engine. Under certain conditions, pretty-printing an abstract syntax tree…
- CVE-2024-8260 — Medium (CVSS 6.1): A SMB force-authentication vulnerability exists in all versions of OPA for Windows prior to v0.68.0. The vulnerability…
All CVEs affecting Openpolicyagent Open Policy Agent →
Other CWE-20 (Improper Input Validation) vulnerabilities
- CVE-2026-48316 — Critical (CVSS 10.0): ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Input Validation vulnerability that could…
- CVE-2026-48281 — Critical (CVSS 10.0): ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Input Validation vulnerability that could…
- CVE-2026-48277 — Critical (CVSS 10.0): ColdFusion versions 2025.9, 2023.20 and earlier are affected by an Improper Input Validation vulnerability that could…
- CVE-2026-48055 — Critical (CVSS 10.0): Streambert is a cross-platform Electron Desktop App to stream and download any video media. In versions 2.4.0 and…
- CVE-2026-34910 — Critical (CVSS 10.0): A malicious actor with access to the network could exploit an Improper Input Validation vulnerability found in UniFi OS…
- CVE-2026-33587 — Critical (CVSS 10.0): Lack of user input sanitisation in Open Notebook v1.8.3 allows the application user to execute Python code (and…
Browse all CWE-20 (Improper Input Validation) vulnerabilities →