Node host-inventory, Rails component, search deserialization, and operator boundary checks¶
Source: hourly offensive-security scan, 2026-07-15 GitHub advisory wave. Primary entries: GHSA-5xpp-75jx-m839 / CVE-2026-50289, GHSA-97jw-64cj-jc58 / CVE-2026-54498, GHSA-9h85-g7w3-rh49 / CVE-2026-54497, GHSA-r3hx-x5rh-p9vv, GHSA-398h-7f66-3h4p / CVE-2026-54495, GHSA-qmc5-gv6v-8p22 / CVE-2026-50266, GHSA-8f39-v287-78jf / CVE-2026-50076, and GHSA-76qh-xr7q-h39m / CVE-2026-44393.
This batch is durable because it exposes repeatable operator boundaries: local host configuration parsed into shell commands by inventory libraries, Rails component wrapper hooks bypassing the normal HTML-safety boundary, reused render objects retaining cross-request context, indexed content flowing into Python eval() during search result deserialization, Kubernetes operators resolving cross-namespace specs, tenant network-service flags bypassing Neutron shared-network controls, Java deserializers reaching classpath hooks despite type filters, and OpenStack RPC clients validating CA chains without binding broker hostnames.
Authorized validation only
Keep proofs to disposable Linux hosts, Rails/Django/OpenStack/Kubernetes labs, synthetic search documents, fake feature-flag specs, throwaway Neutron networks, inert serialized Java fixtures, lab CAs, and marker-only callbacks. Do not modify production network configuration, execute shell payloads on production agents, collect real tenant traffic, dump real feature-flag tokens, read live search content, capture RabbitMQ credentials, or run destructive cloud control-plane operations.
What changed¶
| Advisory | Component | Boundary | Operator value |
|---|---|---|---|
| GHSA-5xpp-75jx-m839 / CVE-2026-50289 | systeminformation networkInterfaces() on Linux | interfaces(5) source directive path is read from local system state and interpolated unquoted into an execSync() shell string while collecting DHCP state | Treat host-inventory and monitoring APIs as execution sinks when they parse mutable OS config before shelling out. Prove only with a lab interfaces source chain and inert marker command. |
| GHSA-97jw-64cj-jc58 / CVE-2026-54498 | Rails ViewComponent around_render and collection rendering | around_render return values bypass the escaping applied to normal #call output; collection rendering can join raw strings and mark the aggregate html_safe | Add wrapper/hook output-safety checks to Rails component reviews, especially where user text is conditionally returned from instrumentation or wrapper code. |
| GHSA-9h85-g7w3-rh49 / CVE-2026-54497 | Rails ViewComponent reused instances, slots, and collections | Mutable component instances retain helpers, controller, request, view flow, format, variant, and slot context across renders when reused across requests/users/threads | Test cached component instances as cross-request trust boundaries: authorization-aware UI, host-derived links, and slot helpers should not reuse another user's render context. |
| GHSA-r3hx-x5rh-p9vv | django-haystack Elasticsearch backend | Documents stored under index_fieldname aliases miss logical-field converters and fall through to _to_python() -> eval() on raw Elasticsearch values | For search-backed apps, trace indexed user content all the way back through result deserialization, not only into the indexer. Synthetic document values can prove code-evaluation reachability without exposing real content. |
| GHSA-398h-7f66-3h4p / CVE-2026-54495 | OpenFeature Operator FeatureFlagSource / InProcessConfiguration annotations | A tenant workload can reference {namespace}/{name} sources; the cluster-scoped operator materializes inline spec contents such as envVars, bearer-token fields, and sync URIs into the referencing workload | In multi-tenant Kubernetes assessments, test operator annotation syntax as an authorization surface, not just core Kubernetes RBAC. |
| GHSA-qmc5-gv6v-8p22 / CVE-2026-50266 | OpenStack Neutron shared-network port policy | Project managers can set trusted device_owner values such as network:dhcp on ports attached to another project's shared network | Add shared-network tenant controls for device-owner semantics; marker ports can show whether anti-spoofing/security-group behavior changes without attacking other tenants. |
| GHSA-8f39-v287-78jf / CVE-2026-50076 | Apache Fory Java SDK replace-resolve path | Crafted serialized data can bypass class registration, type checking, and disallow lists, then invoke classpath-present readResolve / readExternal hooks | Treat serializer type filters as bypassable until a fixture proves the exact Java hook path is unreachable. Keep proofs to inert classes compiled into a lab harness. |
| GHSA-76qh-xr7q-h39m / CVE-2026-44393 | OpenStack oslo.messaging RabbitMQ TLS client | CA validation is enabled, but the expected broker hostname is not passed into TLS verification; any deployment-CA-signed certificate can impersonate the broker | For OpenStack control planes, verify TLS identity binding separately from chain trust. Use lab CAs and fake brokers only; do not intercept production RPC traffic. |
Replayable validation boundaries¶
Linux host-inventory command-boundary check¶
- Build a disposable Debian/Ubuntu-style Linux VM or container with an affected
systeminformationrelease below5.31.7and a minimal Node harness that callsnetworkInterfaces(),getStaticData(), orgetAllData(). - Back up the lab
/etc/network/interfacesfile, then create a controlledsourcechain that references only a temporary test file under a lab directory. - Insert an inert shell-metacharacter marker in the sourced path, such as writing a fixed string to a temporary file owned by the lab process. Do not use reverse shells, network callbacks, credential reads, or persistence paths.
- Run the harness and record whether the marker proves that the parsed
sourcetoken reachedexecSync()unquoted. - Add controls for patched
5.31.7, a benignsourcepath, a file containingsource-directory, a process running as an unprivileged user, and Linux hosts that do not use/etc/network/interfaces.
Report this as mutable host network config -> inventory library parser -> unquoted shell command during DHCP-state collection. Evidence should include affected package version, source-chain class, harness API called, marker-only effect, process user if safely visible, and patched negative control.
Rails ViewComponent output-safety and stale-context checks¶
- Stand up a disposable Rails app using an affected ViewComponent version below
4.12.0with one low-privilege and one high-privilege lab user. - For the
around_renderissue, create a component whose normal#calloutput containing synthetic user text is escaped, then wrap or replace output througharound_renderwith the same marker. Record whether the wrapper return is emitted raw. - Repeat in collection rendering where joined component output may be marked
html_safeas a group. Use harmless DOM markers rather than credential-harvesting scripts. - For the stale-context issue, intentionally reuse the same component, collection, or spacer instance across two lab requests with different users, hosts, and helper-visible state.
- Record whether authorization-aware UI, links, slot content, request details, or host-derived helpers from User A appear in User B's render.
- Add controls for patched
4.12.0, fresh component instances per render, non-collection rendering, escaped#calloutput, concurrent versus sequential renders, and templates that never use user-controlled data.
Report these as component wrapper return bypasses escape boundary and cached mutable component instance retains prior request context. Evidence should be route, component class, role/host pair, marker text or DOM marker, render mode, and patched or fresh-instance negative controls.
Search-result deserialization eval() check¶
- Build a Django/django-haystack lab with the Elasticsearch backend and an affected release below
3.4.0. - Define a
SearchFieldwith anindex_fieldnamealias different from the logical field name, then index a synthetic object whose aliased field value is fully controlled by the lab user. - Use an inert Python expression marker that proves evaluation without shelling out or reading files, such as constructing a unique string through safe built-ins observable in the result path.
- Trigger a search that returns the document and observe whether
_process_results()routes the aliased value through_to_python()andeval()instead of the field converter. - Add controls for patched
3.4.0, matching logical/index field names, non-Elasticsearch backends, fields with explicit converters reached correctly, and ordinary literal strings that should deserialize without evaluation.
Report this as indexed attacker-controlled field alias -> converter lookup miss -> raw search result value evaluated in Django process. Evidence should include index schema, alias mismatch, stored marker value class, search route, evaluation result, and patched negative control. Do not index shell commands or production content.
Kubernetes operator cross-namespace materialization check¶
- Use a multi-tenant lab cluster with two namespaces representing separate tenants and the affected OpenFeature Operator deployed with its normal cluster-scoped permissions.
- In tenant A, create a
FeatureFlagSourceorInProcessConfigurationcontaining only synthetic inline spec markers: fakeenvVars, fakehttpSyncBearerToken, and an owned sync URI. - In tenant B, create a controller-owned workload annotated with
openfeature.dev/featureflagsource: tenant-a/nameor the documented cross-namespace syntax in scope. - Observe only whether tenant A's inline spec markers are materialized into tenant B's pod, sidecar arguments, environment, generated ConfigMap, or operator-managed resources.
- Add controls for no OwnerReference, same-namespace references, patched operator behavior when available, missing source names, RBAC denying tenant B source reads directly, and
secretKeyRef/configMapKeyRefvalues that should remain namespace-local.
Report this as tenant-controlled workload annotation -> cluster-scoped operator resolves another namespace's feature-flag spec -> inline secret-like fields copied into tenant workload. Evidence should be namespace pair, annotation value, marker field class, materialization location, and direct-RBAC negative control.
OpenStack shared-network and RPC identity checks¶
- Build an OpenStack lab with at least two projects sharing a network, Neutron below
28.0.1, and project-manager credentials that do not own the shared network. - Attempt to create or update only a disposable port on the shared network with a trusted-looking
device_ownervalue such asnetwork:dhcp. Do not attach it to production subnets or issue traffic against other tenants. - Record whether Neutron accepts the trusted device owner and whether lab-only anti-spoofing/security-group behavior differs from an ordinary tenant port.
- Separately, in an oslo.messaging/RabbitMQ TLS lab, configure a deployment CA and present a fake broker certificate signed by that CA but issued for the wrong hostname.
- Observe whether affected clients complete TLS and attempt RPC/notification traffic to the fake broker. Log only connection metadata and marker messages; do not capture real service credentials or production payloads.
- Add controls for patched Neutron policies, network-owner credentials, ordinary project-member credentials, correct and incorrect broker hostnames, certificates signed by an untrusted CA, and non-RabbitMQ transports.
Report these as shared-network project-manager role -> trusted service-port semantics on another project network and CA-valid but hostname-wrong broker certificate -> OpenStack RPC client accepts impersonated RabbitMQ endpoint.
Java serializer hook-bypass check¶
- Build a local Apache Fory Java harness below
1.1.0with class registration, type checking, and a disallow list configured to match the target's expected hardening posture. - Compile a lab-only class with inert
readResolveorreadExternalbehavior that emits a marker string or toggles an in-memory flag. Do not include file, network, process, reflection, or classloader side effects. - Feed a crafted Fory serialized fixture through the replace-resolve path and record whether the hook executes despite the configured filters.
- Add controls for patched
1.1.0, absent lab marker class, class not on the classpath, filters that should block the type, and ordinary registered benign classes.
Report this as untrusted Fory serialized bytes -> replace-resolve path bypasses type filters -> classpath hook invocation. Evidence should be library version, filter posture, fixture class name, inert hook result, and patched negative control.
Reporting notes¶
- Lead with preconditions: who can modify
/etc/network/interfacesor sourced files, whether components are reused across requests, who controls indexed content, namespace tenancy assumptions, OpenStack project roles, serializer exposure, and control-plane network position. - Prefer decision tables over payload dumps: input source, parser stage, trust boundary, sink, marker effect, and negative control.
- Redact host paths outside lab temp directories, tenant names, feature-flag tokens, RabbitMQ credentials, OpenStack endpoints, search documents, and component source code that reveals customer business logic.
- The same scan included Pomerium zstd memory exhaustion, Datadog W3C baggage parsing denial-of-service advisories, and
serde_withpanic behavior. They were marked processed without promotion because this run did not identify a safe, durable offensive workflow beyond bounded availability testing.