Fides Authentication Endpoint Brute-Force Protection Vulnerability

A vulnerability exists in the Fides Admin UI login endpoint prior to version 2.69.1, where the authentication process relies on a general IP-based rate limit for all API traffic. This approach lacks specific anti-automation measures to guard against brute-force attacks, such as credential stuffing or password spraying. As a result, accounts with weak or previously compromised passwords are at risk.

Impact

The absence of targeted protections for authentication allows for credential testing attacks, potentially leading to unauthorized access to user accounts within the Fides Admin UI.

Remediation

Users are advised to upgrade to Fides version 2.69.1 or later. For organizations with commercial Fides Enterprise licenses, configuring Single Sign-On (SSO) through an OIDC provider (like Azure, Google, or Okta) is an effective workaround. This functionality is not available for Fides Open Source users.