CVE-2026-42303: CWE-288: Authentication Bypass Using an Alternate Path or Channel in ethyca fides
A vulnerability in ethyca fides versions 2. 75. 0 up to but not including 2. 83. 2 allows an administrator to approve a privacy request without verifying the subject's identity when both subject identity verification and duplicate privacy request detection are enabled. This can lead to unauthorized erasure of a data subject's records across all integrations configured in the deployment. The issue is fixed in version 2. 83. 2. The CVSS 4.
AI Analysis
Technical Summary
CVE-2026-42303 is an authentication bypass vulnerability (CWE-288) in the ethyca fides privacy engineering platform affecting versions from 2.75.0 to before 2.83.2. When deployments enable both subject identity verification and duplicate privacy request detection, an administrator can approve privacy requests without proper identity verification. This flaw can result in unauthorized deletion of data subject records across all configured integrations, particularly impacting erasure policies. The vulnerability has been addressed and fixed in version 2.83.2.
Potential Impact
The vulnerability allows an administrator to bypass identity verification controls and approve privacy requests improperly. This can lead to unauthorized deletion of personal data across all integrations in the affected deployment, potentially causing data loss and privacy violations. There are no known exploits in the wild as of the published date.
Mitigation Recommendations
Upgrade ethyca fides to version 2.83.2 or later, where this vulnerability is fixed. Since the vendor advisory confirms the fix in 2.83.2, applying this official update is the recommended remediation. No other mitigation or temporary workaround is indicated.
CVE-2026-42303: CWE-288: Authentication Bypass Using an Alternate Path or Channel in ethyca fides
Description
A vulnerability in ethyca fides versions 2. 75. 0 up to but not including 2. 83. 2 allows an administrator to approve a privacy request without verifying the subject's identity when both subject identity verification and duplicate privacy request detection are enabled. This can lead to unauthorized erasure of a data subject's records across all integrations configured in the deployment. The issue is fixed in version 2. 83. 2. The CVSS 4.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-42303 is an authentication bypass vulnerability (CWE-288) in the ethyca fides privacy engineering platform affecting versions from 2.75.0 to before 2.83.2. When deployments enable both subject identity verification and duplicate privacy request detection, an administrator can approve privacy requests without proper identity verification. This flaw can result in unauthorized deletion of data subject records across all configured integrations, particularly impacting erasure policies. The vulnerability has been addressed and fixed in version 2.83.2.
Potential Impact
The vulnerability allows an administrator to bypass identity verification controls and approve privacy requests improperly. This can lead to unauthorized deletion of personal data across all integrations in the affected deployment, potentially causing data loss and privacy violations. There are no known exploits in the wild as of the published date.
Mitigation Recommendations
Upgrade ethyca fides to version 2.83.2 or later, where this vulnerability is fixed. Since the vendor advisory confirms the fix in 2.83.2, applying this official update is the recommended remediation. No other mitigation or temporary workaround is indicated.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-26T12:13:55.552Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a036fcccbff5d86100cc534
Added to database: 5/12/2026, 6:22:04 PM
Last enriched: 5/12/2026, 6:40:18 PM
Last updated: 5/12/2026, 9:27:18 PM
Views: 3
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.