CVE-2026-23538 PUBLISHED

Feast: resource exhaustion via websocket endpoint

Assigner: redhat
Reserved: 13.01.2026 Published: 16.07.2026 Updated: 16.07.2026

A vulnerability was identified in the Feast Feature Server's /ws/chat endpoint that allows remote attackers to establish persistent WebSocket connections without any authentication. By opening a large number of simultaneous connections, an attacker can exhaust server resources—such as memory, CPU, and file descriptors—leading to a complete denial of service for legitimate users.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CVSS Score: 7.5

Product Status

Vendor Feast
Product Feast Feature Server
Versions Default: unaffected
  • affected from 0 to 0.59.0 (excl.)
Vendor Red Hat
Product Red Hat OpenShift AI (RHOAI)
Versions Default: unaffected
Vendor Red Hat
Product Red Hat OpenShift AI (RHOAI)
Versions Default: unaffected
Vendor Red Hat
Product Red Hat OpenShift AI (RHOAI)
Versions Default: unaffected
Vendor Red Hat
Product Red Hat OpenShift AI (RHOAI)
Versions Default: unaffected
Vendor Red Hat
Product Red Hat OpenShift AI (RHOAI)
Versions Default: unaffected
Vendor Red Hat
Product Red Hat OpenShift AI (RHOAI)
Versions Default: unaffected
Vendor Red Hat
Product Red Hat OpenShift AI (RHOAI)
Versions Default: unaffected
Vendor Red Hat
Product Red Hat OpenShift AI (RHOAI)
Versions Default: unaffected
Vendor Red Hat
Product Red Hat OpenShift AI (RHOAI)
Versions Default: unaffected
Vendor Red Hat
Product Red Hat OpenShift AI (RHOAI)
Versions Default: unaffected
Vendor Red Hat
Product Red Hat OpenShift AI (RHOAI)
Versions Default: unaffected
Vendor Red Hat
Product Red Hat OpenShift AI (RHOAI)
Versions Default: unaffected
Vendor Red Hat
Product Red Hat OpenShift AI (RHOAI)
Versions Default: unaffected
Vendor Red Hat
Product Red Hat OpenShift AI (RHOAI)
Versions Default: unaffected

Workarounds

Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability.

Credits

  • This issue was discovered by Jitendra Yejare (Red Hat).

References

Problem Types

  • Allocation of Resources Without Limits or Throttling CWE