CVE-2026-42303
CVE-2026-42303 is a medium-severity vulnerability with a CVSS 4.0 base score of 6.1. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-288.
Key facts
- Severity: Medium (CVSS 4.0 base score 6.1)
- EPSS exploit prediction: 0% (23rd percentile)
- Actively exploited: Not listed in CISA KEV
- EU (EUVD) id: EUVD-2026-29705
- Weakness: CWE-288
- Published:
- Last modified:
Description
Fides is an open-source privacy engineering platform. From 2.75.0 to before 2.83.2, Fides deployments that enable both subject identity verification and duplicate privacy request detection are affected by a vulnerability in which an administrator can approve a privacy request whose identity was never verified. For erasure policies, this can result in unauthorized deletion of a data subject's records across every integration configured in the affected deployment. This vulnerability is fixed in 2.83.2.
Frequently asked questions
- What is CVE-2026-42303?
- Fides is an open-source privacy engineering platform. From 2.75.0 to before 2.83.2, Fides deployments that enable both subject identity verification and duplicate privacy request detection are affected by a vulnerability in which an administrator can approve a privacy request whose identity was never verified. For erasure policies, this can result in unauthorized deletion of a data subject's records across every integration configured in the affected deployment. This vulnerability is fixed in 2.83.2.
- How severe is CVE-2026-42303?
- CVE-2026-42303 has a CVSS 4.0 base score of 6.1, rated medium severity.
- Is CVE-2026-42303 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 0% (23rd percentile), an estimate of the probability of exploitation in the next 30 days.
- How do I fix CVE-2026-42303?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- Does CVE-2026-42303 have an EU (EUVD) identifier?
- Yes. CVE-2026-42303 is tracked in the ENISA EU Vulnerability Database (EUVD) as EUVD-2026-29705.
- When was CVE-2026-42303 published?
- CVE-2026-42303 was published on 2026-05-12 and last updated on 2026-06-17.
References
- https://github.com/ethyca/fides/commit/0e320b20934eb5af3a3d5127dba2691605d7ff37
- https://github.com/ethyca/fides/commit/e7a6527b0f9fdc9887b86a89bb5453e7421882dd
- https://github.com/ethyca/fides/pull/7971
- https://github.com/ethyca/fides/pull/7972
- https://github.com/ethyca/fides/releases/tag/2.83.2
- https://github.com/ethyca/fides/security/advisories/GHSA-qx5f-ghc2-7g5c
Other CWE-288 vulnerabilities
- CVE-2026-53622 — Critical (CVSS 10.0): Traefik is an HTTP reverse proxy and load balancer. Prior to 3.7.3, there is a critical vulnerability in Traefik's…
- CVE-2026-48491 — Critical (CVSS 10.0): Traefik is an HTTP reverse proxy and load balancer. From 3.7.0 until 3.7.3, there is a high severity vulnerability in…
- CVE-2026-48020 — Critical (CVSS 10.0): Traefik is an HTTP reverse proxy and load balancer. Prior to 2.11.48, 3.6.19, and 3.7.3, there is a high severity…
- CVE-2026-20079 — Critical (CVSS 10.0): A vulnerability in the web interface of Cisco Secure Firewall Management Center (FMC) Software could allow an…
- CVE-2024-10081 — Critical (CVSS 10.0): CodeChecker is an analyzer tooling, defect database and viewer extension for the Clang Static Analyzer and Clang Tidy.…
- CVE-2024-2973 — Critical (CVSS 10.0): An Authentication Bypass Using an Alternate Path or Channel vulnerability in Juniper Networks Session Smart Router or…