Primary

Context

lakeFS Missing Authentication Vulnerability in Usage Report Summary Endpoint

Vulnerability

A vulnerability exists in lakeFS versions prior to 1.71.0, where the /api/v1/usage-report/summary endpoint lacks proper authentication. This flaw allows anyone to access aggregate API usage data. Although no sensitive information is disclosed, the data could provide insights into service activity or uptime.

Impact

Exploitation of this vulnerability allows unauthorized access to aggregate API usage counts, which could indicate service activity or uptime.

Remediation

Users can upgrade to lakeFS version 1.71.0 or later. Alternatively, a load balancer or application-level firewall can be used to block access to the /api/v1/usage-report/summary endpoint.

Added: Nov 6, 2025, 10:25 PM

Updated: Nov 6, 2025, 10:25 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

8.1

remediation

0.0

relevance

1.0

threat

3.2

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

8.1

remediation

0.0

relevance

1.0

threat

3.2

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

lakeFS Missing Authentication Vulnerability in Usage Report Summary Endpoint

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating