CVE-2026-42303: Ethyca Fides has a Privacy Request Identity Verification Bypass Vulnerability via Duplicate Detection
(updated )
Fides deployments that enable both subject identity verification and duplicate privacy request detection are affected by a vulnerability in which an administrator can approve a privacy request whose identity was never verified. For erasure policies, this can result in unauthorized deletion of a data subject’s records across every integration configured in the affected deployment.
A related lower-severity denial-of-service issue, in which an unauthenticated attacker could prevent a legitimate data subject from completing their own privacy requests, is also patched in the fix for this vulnerability.
References
- github.com/advisories/GHSA-qx5f-ghc2-7g5c
- github.com/ethyca/fides/commit/0e320b20934eb5af3a3d5127dba2691605d7ff37
- github.com/ethyca/fides/commit/e7a6527b0f9fdc9887b86a89bb5453e7421882dd
- github.com/ethyca/fides/pull/7971
- github.com/ethyca/fides/pull/7972
- github.com/ethyca/fides/releases/tag/2.83.2
- github.com/ethyca/fides/security/advisories/GHSA-qx5f-ghc2-7g5c
- nvd.nist.gov/vuln/detail/CVE-2026-42303
Code Behaviors & Features
Detect and mitigate CVE-2026-42303 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →