“Are we quantum-safe?”

A year ago, that question came from the most forward-thinking 5% of our customer base. Today, it is coming from everyone. And that shift, from curiosity to urgency, tells you everything you need to know about where the security industry is headed.

Post-Quantum Cryptography is not a future problem anymore. It is a right now problem. And the customers asking us about it are not being paranoid. They are being smart.

What is post-quantum cryptography? Post-quantum cryptography (PQC) is a new generation of public-key algorithms designed to remain secure against attacks from both classical and large-scale quantum computers. Unlike RSA and elliptic-curve cryptography, which rely on math that a sufficiently powerful quantum computer can break, PQC algorithms are based on mathematical problems that are believed to be hard for quantum machines as well -protecting the data your organization encrypts today from being decrypted in the future.

The “Harvest Now, Decrypt Later” Threat Is Already in Motion

Let us be direct about the threat model, because it is one that does not get nearly enough attention in mainstream security conversations.

You do not need a quantum computer to exist today for your encrypted data to already be at risk.

Sophisticated nation-state adversaries are actively collecting encrypted TLS traffic right now, including your transactions, your authentication sessions, and your sensitive data in transit, with the explicit intention of decrypting it later once quantum computing reaches sufficient capability. This strategy has a name: “Harvest Now, Decrypt Later.” And it is not theoretical. It is happening.

The implication is sobering: the security decisions you make today about encryption determine the confidentiality of data that will still be sensitive in five, ten, or fifteen years. Healthcare records. Financial transactions. Government communications. Intellectual property. Any data with long-term value is already a target for harvesting.

Classical TLS, the encryption backbone of the modern internet, was not built to withstand quantum-scale attacks. The mathematical problems that make RSA and ECC hard to break today become tractable for sufficiently powerful quantum computers. When that threshold is crossed, the encryption protecting decades of harvested data becomes transparent.

This is not a hypothetical edge case. It is a strategic, long-horizon attack that demands a strategic, long-horizon defense.

Our Customers Are Already Asking. We Already Have the Answer.

Here is something I want to be transparent about, because I think it matters.

At Thales, we have been getting questions about PQC readiness from customers consistently and with increasing frequency. These are not fringe inquiries from academic researchers or early adopters chasing the next shiny thing. These are enterprise security teams, regulated industry customers in finance, healthcare, and defense, and compliance officers who are watching the regulatory horizon and doing the math.

They are thinking about it. And they deserve a vendor who is already ahead of it.

That is exactly why I am proud to share what we have built. Thales’ Imperva platform now supports hybrid TLS handshakes combining X25519 and MLKEM768, a pairing of classical elliptic curve cryptography with a quantum-safe Key Encapsulation Mechanism aligned directly with NIST PQC standards. This hybrid approach protects connections between clients and Imperva Points of Presence with both classical and quantum-safe algorithms running simultaneously, ensuring security regardless of which threat model materializes first.

And we did not just build the capability for customers. We completed the migration of all Imperva sites ourselves. We validated it in production before asking anyone else to trust it.

That is what proactive security looks like.

What Hybrid TLS Actually Looks Like in Practice

I know “hybrid TLS handshake” can sound abstract, so let me ground it in something concrete.

When a client connects to a Thales Imperva-protected application today, that TLS 1.3 session is authenticated using X25519MLKEM768, a combined algorithm that you can actually observe directly if you inspect the connection in Chrome’s security panel. You will see exactly what the screenshot above shows: “The connection to this site is encrypted and authenticated using TLS 1.3, X25519MLKEM768, and AES_128_GCM.”

That is not marketing language. That is your browser’s own security panel confirming quantum-safe encryption is active.

What this means practically:

• A classical adversary cannot break the X25519 component
• A quantum-capable adversary cannot break the MLKEM768 component
• Both would need to be broken simultaneously, which represents an effectively impossible bar with current and near-future capabilities

The hybrid model is deliberate and important. Pure PQC algorithms, while mathematically quantum-resistant, are newer and have had significantly less real-world cryptanalysis time than their classical counterparts. The hybrid approach ensures we are not trading one risk for another. We are stacking defenses. This is defense-in-depth applied to cryptography itself.

Zero Performance Trade-off. No Traffic Impact. Full Protection.

Here is the objection I hear almost every time PQC comes up in a customer conversation: “That sounds computationally expensive. What does it do to latency?”

The answer, which genuinely surprises most people: nothing measurable.

Our PQC implementation introduces no performance trade-off and no traffic impact. This matters enormously because one of the most common reasons organizations delay critical security upgrades is the perceived performance cost. Security teams propose the upgrade. Engineering teams push back on latency. The initiative stalls.

With Thales’s PQC implementation, that objection is gone.

Quantum-safe encryption that slows your applications down is not a real solution. It is a compliance checkbox that creates new operational problems while solving a cryptographic one. We were not willing to ship that. The implementation delivers genuine quantum-safe security without the operational tax, and that is the only version of this capability worth deploying at enterprise scale.

The Compliance Horizon Is Closer Than You Think

If the threat model alone is not enough to create urgency in your organization, and for some organizations it is not, that is an honest reality, then the regulatory and compliance landscape should be.

Governments and standards bodies have moved decisively and fast:

• NIST finalized its first PQC standards in 2024: FIPS 203 (ML-KEM), FIPS 204 (ML-DSA), and FIPS 205 (SLH-DSA). These are no longer drafts. They are published standards.
• The S. White House issued NSM-10 directing federal agencies to inventory cryptographic systems and prioritize PQC migration timelines
• CNSA 2.0 mandates PQC adoption for national security systems with defined timelines
• Financial services regulators in the EU and UK are actively publishing PQC readiness guidance for institutions
• DORA and NIS2 in Europe are tightening cryptographic resilience requirements across critical infrastructure sectors

The direction is unambiguous. Regulated industries, including finance, defense, and healthcare, are going to face PQC compliance requirements. The organizations that begin migration now will meet those requirements ahead of schedule, with time to test, validate, and optimize. The ones that wait will be scrambling to meet deadlines under pressure.

Thales’s PQC support is directly aligned with enterprise and regulated sector expectations today. When your auditor, your regulator, or your enterprise customer asks whether your traffic is quantum-safe, the answer should already be yes.

This Is a Security Evolution, Not a Cryptographic Revolution

I want to address something directly, because the way PQC gets discussed in the media can make it sound like a complete overhaul that requires ripping out and replacing your entire security infrastructure overnight.

That framing is not helpful. And it is not accurate.

PQC is a security evolution. The underlying architecture of TLS, certificates, and encrypted communications does not change. The mathematical primitives powering key exchange and authentication do. For most organizations, particularly those working with a security partner like Imperva that has already done the migration work, the path forward is far more manageable than the “quantum apocalypse” narrative suggests.

The hybrid approach makes this especially true. You do not abandon classical cryptography overnight. You layer quantum-safe algorithms alongside proven ones, maintain backward compatibility where needed, and progressively increase quantum-safe coverage as the ecosystem matures and client-side support expands.

Supporting our customers to be PQC compliant at the start of the year was just one step in that evolution. It is a step we took proactively, before our customers needed to ask twice, because that is what it means to be a security partner rather than just a security vendor.

What You Should Do Right Now

If you are a CISO, a security architect, or a compliance officer reading this, here is where I would focus your energy:

1. Inventory your cryptographic exposure.
   Understand which systems handle data with long-term sensitivity. Those are your highest-priority migration targets. Build cryptographic agility, the ability to swap algorithms without architectural overhaul, into your design principles going forward.
2. Ask your vendors the question.
   “Are you quantum-safe?” is now a legitimate and necessary vendor evaluation criterion. Any security vendor without a PQC roadmap, let alone a GA capability in production, should be on notice.
3. Do not wait for regulatory mandates to force your hand.
   The organizations that will navigate PQC transitions smoothly are the ones building the capability now. The ones scrambling to meet a 2027 or 2028 compliance deadline will pay for the delay in both cost and risk.
4. Understand why the hybrid model is the right posture.
   Pure PQC is not the immediate goal for most enterprise environments. Hybrid classical plus quantum-safe is the right posture for 2026. Demand that from your vendors and your internal security teams.
5. Talk to Thales.
   We have done this. Our sites are migrated, our customer sites are migrated. Our PoPs support hybrid TLS with MLKEM768 today. We can help you understand what your path looks like and what questions you should be asking across your vendor portfolio.

The Bottom Line

The harvest is already happening. The standards are finalized. The regulatory expectations are forming. And the technology to protect yourself, without performance trade-offs, without ripping out your stack, is available right now.

Our customers are asking about PQC readiness because they understand the stakes. They are thinking about long-horizon risk in a way that their boards and regulators are increasingly demanding. And they deserve a security partner who is not just thinking about it alongside them but has already built, tested, and deployed the answer.

Post-Quantum Cryptography is not a problem for the security teams of 2030. It is a problem for the security teams of today, being solved by the tools available today.

Thales is quantum-ready.

The question is: are you?

Thales Imperva’s Post-Quantum Cryptography support, hybrid TLS with X25519 plus MLKEM768 for Client to Imperva connections, reached General Availability at the start of 2026. To learn more about Imperva’s PQC readiness and what it means for your organization, contact us or explore our Cloud WAF capabilities.

Post-Quantum Cryptography FAQ

What is post-quantum cryptography (PQC)?

Post-quantum cryptography is a set of public-key algorithms designed to remain secure against attacks from large-scale quantum computers. It replaces or augments classical algorithms like RSA and elliptic-curve cryptography, whose underlying math a sufficiently powerful quantum computer could break.

What is a “harvest now, decrypt later” attack?

“Harvest now, decrypt later” is a strategy in which adversaries collect and store encrypted traffic today so they can decrypt it once quantum computers become powerful enough to break classical public-key cryptography. Any data that will still be sensitive in five to fifteen years—healthcare records, financial transactions, intellectual property—is already a target.

What is ML-KEM (FIPS 203)?

ML-KEM (Module-Lattice-based Key-Encapsulation Mechanism) is the NIST-standardized post-quantum key exchange specified in FIPS 203, published August 13, 2024. Imperva pairs ML-KEM-768 with the classical X25519 key exchange to form a hybrid TLS handshake—giving every connection both classical and quantum-safe protection.

Why pair a quantum-safe algorithm with a classical one (hybrid TLS)?

Pure PQC algorithms are mathematically quantum-resistant but have had far less real-world cryptanalysis than RSA or elliptic-curve cryptography. A hybrid handshake runs both classical and PQC key exchange together: an attacker would have to break both to compromise the session. It is defense-in-depth for cryptography itself, and it’s the recommended posture for 2026.

Is Imperva quantum-safe today?

Yes. Thales Imperva’s PQC support, hybrid TLS combining X25519 and ML-KEM-768 for client-to-Imperva connections, reached general availability at the start of 2026. All Imperva sites have already been migrated. For setup details and current handshake scenarios, see the Imperva PQC support documentation.

The post The Clock Is Already Ticking: Why Post-Quantum Cryptography Can’t Wait appeared first on Blog.

About CVE-2026-49975

On June 3, 2026, California-based cybersecurity firm Calif disclosed a novel, highly disruptive remote denial-of-service attack chain tracked as CVE-2026-49975. The exploit targets structural similarities across default HTTP/2 protocol implementations, potentially threatening over 880,000 websites operating on default stack configurations.

Remarkably, the vulnerability chain was identified using OpenAI’s Codex. The AI model parsed multiple public codebases, recognizing that two distinct techniques, (each public or partially resolved for nearly a decade), could be seamlessly chained together to cripple enterprise web servers.

The exploit functions by combining two distinct phases:

1. The Bookkeeping Compression Bomb (HPACK): Unlike traditional compression bombs that expand huge, stuffed data strings to trigger decoded-size limits, this variant relies on an optimized, nearly empty header payload. Instead of triggering maximum header restrictions, it forces the server to spend immense memory allocations purely on the internal per-entry bookkeeping and structural tables of the HTTP/2 HPACK scheme.
2. The Flow-Control Slowloris Hold: Once the massive internal memory overhead is forced, the attack client advertises a zero-byte flow-control window. This effectively forces the server to hang, preventing it from sending a response while concurrently resetting the send timeouts. The connection stays active, trapping the allocated server memory indefinitely.

Because the attack vectors utilize standard, valid HTTP/2 frame properties, an unauthenticated attacker using a basic home computer over a 100 Mbps connection can exhaust up to 32GB of server memory within 20 seconds, knocking targeted infrastructure offline almost instantly.

What We’ve Seen

Following the public disclosure, Imperva Threat Research has been actively tracking reconnaissance and proof-of-concept (PoC) validation activity corresponding to the newly released guidelines.

Because the exploit relies on native HTTP/2 frame manipulations, specifically targeting HPACK table modifications combined with restrictive WINDOW_UPDATE flow mechanics, initial traffic patterns show distinct automated probing behavior rather than standard application-layer payloads. Attackers are running specialized tools designed to map out whether target servers handle aggressive, dense bursts of small header blocks under restricted windows without terminating the connection. Given that HTTP/2 is almost universally adopted across modern web infrastructure, any unpatched asset running default configurations of the affected servers remains a viable target for these generic probes.

Mitigation and Protection

Organizations are advised to audit their web server footprints and apply vendor updates immediately:

• NGINX: Upstream fixes were quietly addressed in version 1.29.8+ and supported branches in April.
• Apache HTTPD: Fixes addressing the specific chaining behaviors have been integrated into late-May releases.
• Microsoft IIS, Envoy, and Cloudflare Pingora: Default configurations remain exposed at the time of writing; organizations using these platforms should closely monitor infrastructure memory thresholds or consider temporarily disabling HTTP/2 on unpatched public endpoints if downstream mitigations are not in place.

Imperva Protection

Imperva customers with Cloud WAF deployments are protected against exploitation attempts associated with CVE-2026-49975. Cloud WAF automatically inspects and manages anomalous stream and frame structures at the edge, mitigating malicious HPACK anomalies before they reach backend services.

For organizations utilizing Imperva WAF-GW protecting environments where HTTP/2 is enabled, administrators should take immediate action to verify that HTTP/2 Header Restrictions are actively applied and enforced within their security policies. Ensuring these granular protocol constraints are enabled provides a critical layer of defense, blocking the dense, high-frequency header bookkeeping manipulation characteristic of the HTTP/2 Bomb exploit before it can consume backend server resources. For detailed configuration steps, please refer to the following KB article.

Bottom Line

CVE-2026-49975 represents a significant shift in threat discovery, showing how agentic AI capabilities can systematically bridge known, siloed software behaviors into destructive new exploit chains. Because the “HTTP/2 Bomb” requires minimal bandwidth to trigger complete memory exhaustion across major web servers in their default states, patching and perimeter mitigation are urgent priorities.

Imperva customers remain protected. Imperva Cloud WAF and WAF Gateway inspect and drop malicious stream and frame structures, ensuring that anomalous HPACK table definitions and malicious flow-control holds are neutralized at the edge before they can induce memory stress on backend enterprise systems.

The post Imperva Customers Protected Against CVE-2026-49975 (HTTP/2 Bomb) DoS appeared first on Blog.

Imperva customers are protected against exploitation attempts associated with CVE-2026-45247. Since disclosure, Imperva has observed active exploitation attempts containing serialized PHP object payloads designed to achieve remote code execution through PHP Object Injection gadget chains.

About CVE-2026-45247

On May 26, 2026, researchers at Sansec disclosed a critical vulnerability in Mirasvit Full Page Cache Warmer, a Magento and Adobe Commerce extension used to pre-populate and manage storefront cache content. The vulnerability was assigned CVE-2026-45247 and carries a CVSS score of 9.8.

According to the advisory, the extension processes a client-supplied CacheWarmer cookie and passes attacker-controlled data directly into PHP’s native unserialize() function without restricting which classes may be instantiated. Because the cookie is accepted on ordinary storefront requests, exploitation does not require authentication, administrative access, or any special configuration.

Sansec researchers found that attackers can leverage existing gadget chains present within Magento and its dependencies to escalate the vulnerability from PHP Object Injection (CWE-502) to full remote code execution. A single crafted cookie can ultimately allow arbitrary commands to be executed on the target server.

The vulnerability affects Mirasvit Full Page Cache Warmer versions prior to 1.11.12. Mirasvit released a patched version on May 25, 2026 and recommends all customers update immediately.

What We’ve Seen

Since disclosure, Imperva has observed active attack activity attempting to exploit CVE-2026-45247 through serialized PHP object payloads delivered via HTTP requests.

Observed payloads contain base64-encoded serialized objects designed to trigger PHP Object Deserialization and achieve remote code execution through commonly abused gadget chains. Several requests leverage classes from the widely used Monolog logging library, including:

• Monolog\Handler\SyslogUdpHandler
• Monolog\Handler\BufferHandler
• Monolog\Handler\FingersCrossedHandler
• Monolog\Handler\GroupHandler

The payloads attempt to invoke functions such as system() and current() to execute arbitrary commands on the underlying server. In several observed cases, attackers used test commands designed to validate successful code execution, including:

echo PWNED_CVE2026_$(date +%s)

and

sleep 5

These payloads are consistent with early-stage exploitation activity where attackers first verify vulnerability presence before deploying additional tooling, persistence mechanisms, webshells, or malware.

So far, observed attacks have primarily targeted Gaming and Business sites. The most targeted countries have been the United States, United Kingdom, France, and Australia.

The observed payloads suggest attackers are actively attempting to identify vulnerable Magento environments and validate remote command execution capabilities shortly after public disclosure.

Mitigation and Protection

Organizations using Mirasvit Full Page Cache Warmer should immediately upgrade to version 1.11.12 or later. Researchers noted that some organizations may be running the vulnerable component unknowingly because Cache Warmer can be bundled within other Mirasvit packages. Administrators should review installed Mirasvit modules and verify deployed versions.

Organizations should also review web server and application logs for suspicious CacheWarmer cookie values, particularly base64-encoded serialized object strings beginning with common PHP serialization markers. Because successful exploitation can lead to arbitrary code execution, potentially affected environments should be assessed for indicators of compromise, unauthorized file modifications, webshell deployment, and unexpected command execution activity.

Imperva customers are protected against exploitation attempts associated with CVE-2026-45247. Imperva Cloud WAF and WAF Gateway inspect malicious HTTP requests targeting vulnerable Magento components and can identify and block serialized object payloads, deserialization attempts, and remote code execution patterns before they reach vulnerable applications.

Bottom Line

CVE-2026-45247 represents a highly critical threat to Magento and Adobe Commerce environments due to its unauthenticated nature and potential for full remote code execution. The vulnerability requires only a crafted cookie delivered through a normal storefront request, significantly lowering the barrier to exploitation. Organizations running Mirasvit extensions should verify whether Cache Warmer is installed, update immediately to version 1.11.12 or later, and review logs for signs of exploitation activity.

Imperva customers remain protected against exploitation attempts associated with this vulnerability. Imperva Cloud WAF and WAF Gateway identify and block malicious deserialization payloads, PHP Object Injection attempts, and remote code execution techniques commonly used to exploit this vulnerability. By inspecting HTTP requests before they reach backend applications, Imperva helps prevent exploitation attempts from reaching vulnerable systems while organizations work to identify affected installations and apply vendor patches.

The post Imperva Customers Protected Against CVE-2026-45247 in Mirasvit Full Page Cache Warmer for Magento appeared first on Blog.

Why email was never enough

Email was always a compromise for security notifications. It’s universal, but that’s also its weakness:

• Emails get lost. Spam filters and crowded inboxes mean critical alerts are missed, not because Imperva didn’t send them, but because no one saw them in time.
• Emails can’t trigger automation. The ideal response to a DDoS attack isn’t a human reading an email and manually opening a ticket. It’s an automated workflow that opens the ticket, posts to Slack, pages the on-call engineer, and logs the incident, instantly.
• Emails are hard to parse. Extracting structured data from an email for downstream systems is brittle and error-prone

The stakes are high. Imperva research found that 44% of security professionals spend more than 20 hours a week responding to alerts, and 27% of IT professionals receive more than a million security alerts a day. When a critical notification is lost in that flood, response slows down—exactly when speed matters most.

The result? An operational gap between detection and response. That gap closes today.

Introducing Webhook-based notifications

What are webhook notifications? Webhook notifications are automated, real-time messages that a system sends to a URL you choose the moment an event occurs. Instead of waiting for someone to open an email, the event data—usually structured as JSON—is pushed straight to your tools, where it can instantly trigger tickets, alerts, and automated workflows.

Imperva now supports webhook notifications: real-time, structured alerts delivered directly to your systems and tools. You define webhook connections in the Imperva Platform, assign them to notification policies, and from then on, your alerts go exactly where you need them—instantly, in a format your automation can use.

No more spam filters. No more manual ticket creation. No more copy-pasting data at midnight.

Real-world webhook notification scenarios

• DDoS Attack Response: A DDoS event triggers your webhook, which fires a ServiceNow ticket, posts to Slack, and pages the on-call engineer—all before anyone touches a keyboard. When the attack stops, the workflow updates the ticket and notifies the team automatically.
• SSL Certificate Expiration: The expiration event posts directly to the right team’s Slack channel, so the responsible engineer sees it and acts before there’s an outage.
• DNS Configuration Required: A new site needs DNS setup. The webhook creates a task and notifies the infrastructure team, so work is queued before anyone checks the console.
• Bandwidth Overage Warning: Approaching your bandwidth limit? The webhook notifies your FinOps team and opens a ServiceNow ticket, so you can act before overage charges hit

*Note: Some notification types and integrations (like Slack/Teams) are coming soon or in beta. See documentation for current coverage.

Built the right way: Flexible, secure, reliable

Webhook notifications are designed for enterprise reliability:

• Backoff logic: If your endpoint isn’t reachable, Imperva retries delivery multiple times, so alerts aren’t lost to temporary outages.
• Authentication: You can add a secure code in the webhook header, making incoming notifications more trusted and secure for your environment.

The automation advantage

Webhook notifications aren’t just a new channel—they’re an automation unlock. Every alert becomes a programmable trigger: DDoS events, site configuration, bandwidth thresholds. Your automation stack gets a clean, reliable feed for every significant event, enabling faster, more consistent response. This is the foundation of SOC automation: every Imperva alert becomes a programmable trigger for faster, more consistent incident response.

When alerts arrive as structured events, action no longer depends on someone noticing an email. Notifications flow straight into tickets, incident channels, or automated workflows—so the right response happens immediately and consistently.

Deployment: How to set up webhook notifications

There’s nothing new to install. Webhook connections are configured directly in the Imperva platform under Accounts – Webhook Connection. You name the connection, define the endpoint URL, and assign it to the desired notification policy

Today, webhook notifications work alongside email—so you can run both channels in parallel and migrate at your own pace.

Frequently asked questions about webhook notifications

What are webhook notifications?

Webhook notifications are automated, real-time messages that Imperva sends to a URL you define the moment a security or operational event occurs. The event is delivered as structured data your tools can act on immediately—opening tickets, posting to chat channels, or triggering automated workflows—without anyone reading an email first.

How are webhook notifications more reliable than email security alerts?

Email alerts can be lost to spam filters or buried in crowded inboxes. Webhook notifications are delivered directly to your systems, with backoff logic that retries delivery if your endpoint is temporarily unreachable and optional authentication codes in the webhook header to verify each message. The result is fewer missed alerts and a structured payload your automation can parse reliably.

What security events can trigger an Imperva webhook?

Webhook notifications can fire on events such as a DDoS attack starting or stopping, an SSL certificate nearing expiration, a new site that needs DNS configuration, and bandwidth overage warnings. Each event is sent to the notification policy you assign it to. Some notification types and integrations are rolling out over time, so check the Imperva documentation for current coverage.

Can I use webhook and email notifications at the same time?

Yes. Webhook notifications run alongside email, so you can keep both channels active and migrate to webhooks at your own pace. Many teams keep email as a backup while webhooks become the primary channel for automated response.

How do I set up webhook notifications in Imperva?

There is nothing new to install. In the Imperva Platform, go to Accounts – Webhook Connection, name the connection, define the endpoint URL, and assign it to the notification policy you want. For step-by-step instructions and current event coverage, see the Imperva webhook documentation.

The Bottom line

Webhook notifications mean fewer missed alerts, faster automation, and less manual work. Email becomes your backup, not your primary channel. At this stage access to webhook notifications is currently limited, get in touch to find out more.

Your security workflows just got an upgrade.

Contact your Imperva account team to find out more.

The post Real-Time Webhook Notifications: No More Lost Security Alerts appeared first on Blog.

About CVE-2026-9082

On May 20, 2026, the Drupal Security Team disclosed SA-CORE-2026-004, tracked as CVE-2026-9082. The vulnerability affects Drupal core versions from 8.9.0 before 10.4.10, 10.5.0 before 10.5.10, 10.6.0 before 10.6.9, 11.0.0 before 11.1.10, 11.2.0 before 11.2.12, and 11.3.0 before 11.3.10.

The issue exists in Drupal’s database abstraction API, which is designed to sanitize database queries and prevent SQL injection. According to Drupal, specially crafted requests can result in arbitrary SQL injection on sites using PostgreSQL databases. The vulnerability can be exploited by unauthenticated users and may lead to information disclosure and, in some cases, privilege escalation, remote code execution, or other follow-on attacks.

The vulnerability is specific to PostgreSQL-backed Drupal deployments. The flaw stems from attacker-controlled array keys flowing into SQL placeholder names in Drupal’s PostgreSQL entity query handling. Researchers identified two unauthenticated paths to the vulnerable code: the JSON login endpoint and JSON:API filter syntax.

What We’ve Seen

Since CVE-2026-9082 was released, Imperva has observed over 15,000 attack attempts targeting almost 6,000 individual sites across 65 countries. Attacks are primarily targeting Gaming and Financial Services sites so far, at collectively almost 50% of all attacks.

Most of the observed activity so far appears to be probing. The payloads in the attached Imperva data largely focus on JSON:API routes, particularly /jsonapi/node/article, and use crafted filter parameters designed to test whether a target is vulnerable. Several payloads include Nuclei-style markers such as nuclei_sa_core_2026_004, nuclei-probe, and nuclei-probe-miss, indicating automated scanning and template-based validation activity.

The most common payload patterns include:

• JSON:API filter probes using operator=IN against the title field
• Crafted array keys such as 0), 0)) OR 1=1 –, and _) AND 1=1–
• Time-based SQL injection checks using PostgreSQL functions such as pg_sleep
• UNION-style and syntax-break probes intended to validate error-based SQL injection behavior

This pattern suggests attackers and scanners are primarily attempting to identify exposed Drupal sites running vulnerable PostgreSQL-backed configurations. While the activity is currently dominated by reconnaissance and validation, the nature of the vulnerability means successful exploitation could quickly move from probing to data extraction or privilege escalation.

Mitigation and Protection

Organizations running Drupal should upgrade immediately to one of the patched versions: 10.4.10, 10.5.10, 10.6.9, 11.1.10, 11.2.12, or 11.3.10. Searchlight Cyber also noted that the same Drupal release includes Symfony and Twig security updates, making patching important even for environments not using PostgreSQL.

Imperva customers with any WAF deployment are protected against exploitation attempts associated with CVE-2026-9082. 

Bottom Line

CVE-2026-9082 is a high-priority Drupal core vulnerability because it is remotely reachable, exploitable by unauthenticated users, and affects a core query-handling mechanism. Although the vulnerability is limited to PostgreSQL-backed Drupal sites, the widespread use of Drupal and the speed of observed scanning make this an urgent patching priority.

Imperva has already observed broad probing across thousands of sites and dozens of countries. Imperva customers are protected, but organizations should still patch immediately, review logs for suspicious JSON:API and /user/login?_format=json activity, and confirm whether any Drupal deployments use PostgreSQL.

The post Imperva Customers Protected Against CVE-2026-9082 in Drupal Core appeared first on Blog.

We identified a couple of vulnerabilities in AI automation platform Dify resulting in cross-tenant sensitive information disclosure and one-click account takeover. These findings reinforce the pattern we documented in our previous n8n blogpost: even though AI automation platforms are increasingly becoming integration hubs for complex workflows, their security posture still lags behind their rapid evolution and operational importance. 

Introduction

Dify is an open-source platform for building LLM-powered applications: agents, chatbots, and automated workflows. With over 134,000 GitHub stars and over 10 million docker pulls, it has rapidly become one of the most popular tools in the AI application space, offering both self-hosted and managed cloud deployments. 

Our research into Dify uncovered two distinct vulnerabilities that illustrate this risk: 

1. A file handling flaw that enables one-click account takeover through a single malicious link (detailed below). 
2. An insufficient tenant isolation issue in shared environments that exposes other users’ application source code.  

Both findings point to the same structural challenge: platforms that centralize trust must also centralize rigor in how they isolate users and handle untrusted input. 

The first issue was addressed in Dify 1.13.1. The second was fixed in the sandbox layer by moving from a shared identity to per-execution UIDs, then shipped to Dify users through the newer sandbox image bundled with 1.13.3. 

Dify did not respond to any of our disclosure messages and chose to patch silently.  

One Click to Account Takeover

The flaw lies in how Dify handles file uploads through workflow tool nodes, such as Image Downloader or Image Toolbox. 

SVG is an XML-based image format that can natively embed JavaScript, via <script> tags or event handlers on SVG elements. When a browser renders an SVG file served from a trusted origin, any embedded script executes with full access to that origin’s session context, including cookies, local storage, and API calls. 

Dify uses two subdomains: 

• upload.dify.ai: where user-uploaded files are stored and served 

• cloud.dify.ai: the main application domain, where users authenticate and manage their workflows 

Critically, upload.dify.ai and cloud.dify.ai are configured as DNS aliases. From the browser’s perspective, both subdomains resolve to the same origin. This collapses the intended security boundary: a file that should have been confined to a static asset domain is instead rendered with the full privileges of the application domain. 

A malicious SVG uploaded to upload.dify.ai could simply be accessed via cloud.dify.ai, and the browser would execute its JavaScript payload as if it were part of the application itself. 

But this design wouldn’t be dangerous if access control was enforced on uploaded files. Each uploaded file receives a unique ID and is stored at a predictable path: 

https://upload.dify[.]ai/files/tools/<unique-id>/filename.svg 

However, these files are publicly accessible with no authentication and no per-user scoping (a.k.a Insecure Direct Object Reference). Anyone who knows the URL can retrieve the file. And that ID is not necessarily secret: it could leak through Referer headers or surface in shared workspace contexts. 

Therefore, in this case, the exploitation scenario was straightforward:  

• The threat actor generates a malicious link leading to a resource in his account 

• The resource link is shared to another user, and one click leads to account takeover. 

Eventually, Dify team fixed this first issue by overwriting the content-type of the HTTP response to “application/octet-stream”, independently from the nature of the file, represented with the args.as_attachment flag version 1.13.1.
This value triggers download instead of rendering. 

Cross-Tenant Source Disclosure in the Python Sandbox

This bug lived deeper in the stack, inside dify-sandbox, the service Dify uses to execute untrusted code. 

The failure here was particularly interesting, as it required a chain to fully leak other users’ source code on the Dify platform. 

1. Sandboxed Python executions shared a filesystem location. 
2. Those executions shared the same runtime identity. 
3. The leaked artifact contained encrypted code, not plaintext. 
4. But the “encryption” was repeating-key XOR, so ciphertext alone was often enough. 

Where the Leak Came From 

Fig. 1: Dify cross-tenant source disclosure 

The Dify monorepo only pins the sandbox image. At tag 1.13.1, Dify still shipped langgenius/dify-sandbox:0.2.12 in its compose files: 

• Dify 1.13.1 sandbox pin: https://github.com/langgenius/dify/blob/1.13.1/docker/docker-compose-template.yaml#L246-L249 

Inside that sandbox version, the Python runner used a fixed sandbox root: 

• sandbox root definition: https://github.com/langgenius/dify-sandbox/blob/0.2.12/internal/core/runner/python/setup.go#L23-L26 

• chroot behavior described in FAQ: https://github.com/langgenius/dify-sandbox/blob/0.2.12/FAQ.md#L3-L13 

The important detail is what happened during execution. The runner generated a temporary script under ${LIB_PATH}/tmp/<uuid>.py, which became /tmp/<uuid>.py from the Python process’s perspective after chroot. The same runner stamped every wrapper script with a single hard-coded sandbox UID: 

• vulnerable runner: https://github.com/langgenius/dify-sandbox/blob/0.2.12/internal/core/runner/python/python.go#L89-L164 

• static sandbox UID: https://github.com/langgenius/dify-sandbox/blob/0.2.12/internal/static/user.go#L1-L6 

Three lines tell the story: 

• Identity was fixed through static.SANDBOX_USER_UID. 

• The wrapper script was written with os.WriteFile(…, 0755). 

• The file lived under the shared sandbox tmp directory. 

Separate tenants executing inside the same sandbox root, under the same effective identity, with readable code artifacts left in a shared /tmp. That is the entire isolation bug. 

Our proof of concept simply sampled /tmp during execution and collected newly created files. In a shared cloud deployment, that exposed wrapper scripts belonging to other tenants running on the same sandbox host. 

The attacker-side workflow looked like this: 

What the Attacker Actually Stole

The leaked file was not the raw user script. 

Dify generated a Python wrapper that loaded a native seccomp helper, decoded a Base64 blob, decrypted it, and exec’d the result. 

The decryptor lived in the embedded prescript: 

• prescript decryptor: https://github.com/langgenius/dify-sandbox/blob/0.2.12/internal/core/runner/python/prescript.py#L22-L47 

The critical line: 

On the Go side, the matching encryption logic was just as direct: 

This looks like “encryption,” but it is really a byte-wise Vigenere cipher with a 64-byte repeating key. 

Something like that: 

Why the Encryption Broke

If Dify had used a modern authenticated cipher and never exposed the key, reading /tmp/<uuid>.py would still have been bad, but it would not immediately reveal source code. Instead, the runner: 

• generated a random 64-byte key 

• XORed every plaintext byte with key[i mod 64] 

• Base64-encoded the result 

• embedded the ciphertext in the wrapper script 

Repeating-key XOR leaks structure across every byte position modulo the key length. Once the key length is known, recovery collapses into a set of small single-byte XOR problems,  not a modern cryptanalytic challenge. 

Our PoC used exactly that property. The attack strategy: 

1. Lock onto the real key size of 64 bytes. 
2. Score candidate plaintext bytes for “Python-likeness.” 
3. Slide common cribs, import , from , def main( — across the ciphertext. 
4. Reward outputs that decode as UTF-8, contain Python tokens, and successfully parse with ast.parse. 

Workflow code is highly structured plaintext: full of repeated syntax, imports, identifiers, indentation, JSON handling, and predictable scaffolding. Even when the exact business logic is unknown, the shape of Python source gives the attacker enough signal to recover key bytes and reconstruct the rest. 

The sandbox did not need to leak the key. The ciphertext was enough.

A reduced version of the recovery logic:

The real PoC is more careful, including crib dragging, UTF-8 heuristics, Python-token scoring, AST validation, and more. 

Why This Was Recoverable in Practice

Three properties made the attack reliable. 

Fixed key size. The vulnerable runner hard-coded key_len := 64, so the PoC did not have to discover a moving target. 

Strong plaintext priors. Python source naturally contains ASCII-heavy text, repeated keywords, common import patterns, indentation and punctuation, and valid UTF-8. 

Machine-verifiable output. The PoC did not stop at “looks readable.” It strongly preferred candidates that parsed as real Python, turning recovery into a search problem with a sharp scoring function. 

How Dify Fixed It

The fix landed in dify-sandbox 0.2.13: 

• fix: tenant isolation use uid: https://github.com/langgenius/dify-sandbox/commit/6b3577c7779c4afc9f26645df5a4660a7282a566 

The patched runner changed the trust boundary in the right place: 

• fixed runner: https://github.com/langgenius/dify-sandbox/blob/0.2.13/internal/core/runner/python/python.go#L30-L176 

• UID pool: https://github.com/langgenius/dify-sandbox/blob/0.2.13/internal/core/runner/python/uid_pool.go#L9-L67 

The important changes: 

• uid, err := AcquireUID(ctx) 

• The wrapper was written with os.WriteFile(…, 0600). 

• The file was reassigned with syscall.Chown(…, uid, …). 

• The embedded prescript stopped using the single global sandbox UID and used the per-run UID instead. 

This matters more than any cryptographic tweak. Before the fix, every execution looked like the same sandbox user. After the fix, each execution got its own identity and its own readable artifact set. 

Dify did not “fix the encryption.” It fixed the isolation boundary. 

The Impact

• One-click account takeover: The attacker acts as the victim: modifying workflows, changing settings, inviting collaborators. 

• Workflow theft: Private workflows (often encoding proprietary business logic, integration architecture, and prompt engineering) become fully accessible. 

• Credential exfiltration: API keys, OAuth tokens, and model configurations stored in Dify can be extracted, enabling lateral movement into every connected external service. 

• Full instance compromise: If the victim is an administrator, the attacker gains control of the entire Dify deployment and every integration it orchestrates. 

Conclusion

Both vulnerabilities we found in Dify stem from the same oversight: security controls that weren’t designed to keep pace with the platform’s feature growth. As these tools add collaboration, file sharing, and multi-tenant environments, each new surface needs to be hardened with the same rigor as the core application. 

What makes this particularly relevant for security teams is the open-source model: Dify is widely self-hosted, meaning unpatched instances may persist long after fixes are released. Organizations running Dify (in any configuration) should verify they are on v1.13.1 or later. 

Timeline

• January 14, 2026: initial disclosure sent 

• March 17, 2026: Dify 1.13.1 released, addressing the first issue 

• March 19, 2026: dify-sandbox 0.2.13 released with UID-based tenant isolation 

• March 20, 2026: follow-up sandbox patch stabilizes the UID-based design inside the chroot 

• March 25, 2026: Dify 1.13.3 released, bundling the fixed sandbox at 0.2.14 

The post Dify: When Your AI Platform Becomes the Attack Surface appeared first on Blog.

Imperva Threat Research Group analyzed the vulnerability and associated exploitation techniques. Imperva customers using Cloud WAF or On-Prem WAF are protected against attack attempts targeting this issue.

The Vulnerability

CVE-2026-42945 is a heap-based buffer overflow vulnerability in the ngx_http_rewrite_module component of NGINX Open Source and NGINX Plus. The issue, nicknamed NGINX Rift, occurs when specific rewrite-rule patterns are processed using unnamed Perl-Compatible Regular Expression (PCRE) capture groups such as $1 or $2, combined with replacement strings containing a question mark (?) and followed by additional rewrite, if, or set directives.

Under vulnerable conditions, specially crafted HTTP requests can trigger heap corruption within the NGINX worker process. Public research indicates this can reliably cause worker crashes and denial-of-service conditions, while some researchers also demonstrated potential paths toward remote code execution under favorable memory-layout conditions.

The vulnerability was discovered through autonomous analysis of the NGINX codebase and reportedly remained dormant for nearly two decades. Researchers described the issue as arising from a state mismatch in rewrite processing logic that ultimately results in unsafe memory handling during URI rewriting operations.

In practical terms, an attacker sends a crafted HTTP request designed to reach a vulnerable rewrite rule. During processing, attacker-controlled URI data can overflow allocated heap memory inside the worker process. Depending on the target environment and mitigations such as ASLR, exploitation may result in:

• Worker process crashes
• Repeated restart loops
• Application-layer denial of service
• Potential remote code execution within the NGINX worker context

The flaw affects:

• NGINX Open Source versions 0.6.27 through 1.30.0
• NGINX Plus R32 through R36

Patched releases include:

• NGINX Open Source 1.30.1 and 1.31.0+
• NGINX Plus R32 P6 and R36 P4

Because rewrite directives are extremely common in real-world NGINX deployments, particularly in reverse proxies, API gateways, load balancers, authentication flows, and URL routing logic, exposure may extend across a substantial portion of internet-facing infrastructure. NGINX was the most widely deployed web server on the internet as of 2025, supporting 32.4% of all websites with known web servers, so the exposure surface is extremely broad across enterprise, cloud, SaaS, and e-commerce environments.

Some of the techniques associated with exploitation include:

• Crafted HTTP requests targeting vulnerable rewrite rules
• Abuse of unnamed PCRE capture groups ($1, $2)
• Heap corruption via malformed URI rewriting operations
• Application-layer denial of service through worker crashes
• Potential memory manipulation leading to remote code execution
• Automated internet-wide scanning for exposed NGINX deployments

Unlike traditional volumetric DDoS attacks, exploitation of CVE-2026-42945 targets the application processing layer directly, allowing attackers to disrupt services using relatively small numbers of malicious requests.

Bottom Line

CVE-2026-42945 demonstrates how long-lived vulnerabilities in foundational internet infrastructure can remain undiscovered for years while silently exposing a massive attack surface. By abusing rewrite-processing logic inside ngx_http_rewrite_module, attackers can trigger heap corruption using crafted HTTP requests, leading to denial-of-service conditions and potentially remote code execution.

Because NGINX is deeply embedded within modern web infrastructure, including reverse proxies, API gateways, SaaS applications, and cloud environments, organizations should prioritize patching affected systems immediately and review rewrite-rule configurations for vulnerable patterns involving unnamed PCRE captures.

Imperva Cloud WAF and On-Prem WAF customers are protected against related attack activity.

The post CVE-2026-42945: Imperva Customers Protected Against Critical NGINX Rewrite Module Vulnerability appeared first on Blog.

If you’re running Claude Code with AWS Bedrock, there’s something you need to know: the AWS credentials you configure for Bedrock don’t stay confined to Bedrock. They might be shared with every shell command, every MCP server, and every subprocess that Claude Code spawns. And depending on how those credentials are scoped, that could mean full access to your entire AWS account. 

The Problem in a Nutshell 

When you set up Claude Code for Bedrock, you store your AWS credentials in ~/.claude/settings.json: 

{ 
   "env": { 
     "AWS_ACCESS_KEY_ID": "...", 
     "AWS_SECRET_ACCESS_KEY": "...", 
     "AWS_DEFAULT_REGION": "us-east-1", 
     "CLAUDE_CODE_USE_BEDROCK": "1" 
   } 
} 

These environment variables get loaded into the Claude Code process. So far, so normal. The issue is that Unix processes inherit environment variables from their parent. Every time Claude Code runs a shell command, spawns an MCP server, or launches any subprocess, those child processes get your AWS credentials too. 

That means any AWS CLI command executed through Claude Code authenticates as your IAM principal. Not just for Bedrock, but for everything that principal has permissions to do. 

How This Goes Wrong in Practice 

The security boundary here is entirely on the IAM policy side, Claude Code itself applies no restriction. If your IAM user only has `AmazonBedrockLimitedAccess`, the blast radius is minimal. But in practice, credentials often have broader permissions than intended. None of the scenarios below require an attacker or a sophisticated exploit, they’re everyday mistakes that happen when AWS credentials are broader than they need to be. 

1. Reusing your everyday IAM user

You already have an IAM user you use for daily development, like deploying lambdas, reading S3, or managing EC2 instances. Instead of creating a dedicated user for Claude Code, you drop those same credentials into settings.json because it’s faster. Now Claude Code has access to everything you do: production databases, customer data in S3, IAM itself. You meant to give it Bedrock access, but you actually gave it your entire AWS footprint. 

2. Operating on the wrong environment

You’re working on a staging project, but the credentials in settings.json belong to your production account. You ask Claude Code to “delete the old test data from S3” or “terminate the idle instances.” Claude Code generates the right AWS CLI commands for the task, but runs them against production. There’s no visual indicator in Claude Code telling you which AWS account or environment is active. The approval prompt shows aws s3 rm, and you click accept because the command looks correct for what you asked. 

3. Permissions drifting over time

You start with a tightly scoped IAM user for Bedrock only. Months later, someone on your team attaches AmazonS3ReadOnlyAccess for a one-off migration script and forgets to remove it. Then PowerUserAccess gets added during an incident for quick debugging. The Claude Code credentials silently gain more power over time, and nobody audits what it can actually do because “it’s just the Bedrock user.” 

4. Shared credentials across a team

A team lead sets up an IAM user for Claude Code and shares the credentials in a wiki or Slack channel for the team to use. Now multiple developers are running Claude Code with the same identity. There’s no way to distinguish who did what in CloudTrail logs. If one developer’s session is compromised through prompt injection, the blast radius covers everyone using those credentials, and attribution is impossible. 

The Attack Scenarios 

This isn’t just a theoretical concern. There are several realistic ways this can go wrong: 

Accidental over-provisioning is the most likely scenario. A developer uses Claude Code normally, unaware that a “clean up old files” prompt could generate AWS CLI commands touching production S3 buckets or EC2 instances. 

Prompt injection is more targeted. An attacker plants malicious instructions in a repository file: a README, a config file, a code comment. When Claude Code reads the file, the injected instruction can influence it to generate AWS CLI commands that exfiltrate data or create backdoor access keys. The user sees an approval prompt but might not catch the malicious intent among legitimate-looking operations. 

Compromised MCP servers inherit the full environment as subprocesses. A malicious or supply-chain-compromised MCP server can silently make AWS API calls using your credentials. 

What You Should Do 

Scope your credentials tightly. The IAM user or role you configure for Claude Code should have the absolute minimum permissions needed, ideally only bedrock:InvokeModel* and related Bedrock actions. Audit what’s attached right now. You might be surprised. 

Consider using Bedrock API keys instead of IAM credentials. Claude Code supports AWS_BEARER_TOKEN_BEDROCK, which is inherently scoped to Bedrock operations. API keys can’t be used by the AWS CLI for non-Bedrock operations. This is the most effective mitigation available today and requires no infrastructure changes. 

Use temporary credentials. If you must use IAM credentials, prefer STS temporary credentials or SSO-based authentication over long-lived access keys. They at least limit the exposure window. 

Pay attention to shell command approval prompts. When Claude Code asks permission to run a command –  read it. Look for aws CLI commands that access services beyond what you’d expect. If you see aws s3, aws ec2, aws iam, or similar, think about whether that’s something you intended to allow. 

Audit your settings.json. Run aws sts get-caller-identity with the configured credentials and check what policies are attached to that principal. If the answer is anything broader than Bedrock access, tighten it. 

The Bigger Picture 

This is a classic example of the principle of least privilege being violated through environment inheritance, a well-understood Unix behavior that becomes a security issue when credentials meant for one purpose are implicitly available for all purposes. 

Claude Code’s shell command approval prompt provides some protection, but it’s a thin layer. Users lack context about which AWS credentials are active and what permissions they grant. Approval fatigue, the tendency to reflexively accept prompts after seeing enough of them, further erodes this safeguard. 

The ideal fix would be credential isolation: Bedrock credentials should be internal to Claude Code and never exposed to shell subprocesses through environment variables. Until that happens, and according to Anthropic, the responsibility falls on you to ensure your credentials are scoped as narrowly as possible. 

The post Using Bedrock with Claude Code? Your AWS Credentials Are Shared With Every Subprocess appeared first on Blog.

And the security implication is clear: the more autonomous systems rely on APIs, the more important it becomes to know exactly which APIs exist, how they are being used, and whether they are being misused.

If your organization cannot answer those questions, you have a visibility problem. And in an environment where AI can accelerate both legitimate automation and malicious abuse, visibility is the first step to control.

Risk accelerating

APIs have always been a target because they expose data and business logic. What has changed is pace.

AI can now help attackers discover endpoints faster, test more abuse paths, and automate attacks that once took much more effort. Meanwhile, AI agents inside the enterprise are generating more API traffic, often with broader privileges than anyone intended.

That means security teams are facing a harder problem: not just more traffic, but more uncertainty and adversaries with improved tools.

What CISOs should be worried about

The biggest risks are not always the loudest ones.

Whether it’s an over-permissioned agent, a forgotten or shadow API, or a “legitimate” request abused to enumerate data or chain unauthorized actions, the risk is real. It’s often compounded by API tokens with broad access and long expiration times.

These are the kinds of issues that can lead to evasive data exfiltration, unauthorized payments, compliance violations, and operational surprises that go undetected far too long.

If your API security program cannot spot abnormal behavior early, the business is exposed.

What good looks like

CISOs need a practical model, not more noise.

That model should:

• Continuously discover APIs across the environment.
• Classify which ones are sensitive.
• Establish baselines for normal behavior.
• Detect abnormal or suspicious API activity.
• Support least-privilege access for AI agents.
• Help revoke risky permissions quickly.

This is how security leaders turn AI agent activity from a blind spot into something measurable and governable.

The board conversation has changed

This is no longer just a technical issue for engineering or operations.

Boards care about risk, control, and business impact. They need to know how many AI agent-facing APIs are being monitored, how many anomalous calls have been detected, and how quickly the business can respond when something looks wrong.

That is the real opportunity for CISOs: to move API security into the center of the AI risk conversation.

Download the guide now

For CISOs, security leaders, and executives, this guide explains the new API security realities emerging with AI agents. We created A CISO’s Guide to API Security in the Age of AI Agents to help you navigate the shift with clarity and confidence.

Inside, you will learn:

• Why AI agents are increasing API risk rather than replacing it.
• How to connect API security to business and board-level concerns.
• What to look for in a practical CISO playbook for discovery, visibility, and control.
• How to govern agent-driven access before it becomes business exposure.

AI agents may change how work gets done. But the organizations that understand their APIs first will be the ones best positioned to stay in control.

Download the CISO guide now

The post Why AI Agents Make API Security a CISO Priority appeared first on Blog.

The Vulnerability

Researchers recently disclosed CVE-2026-23870, a high-severity denial-of-service vulnerability affecting React Server Components and downstream frameworks such as Next.js. The issue exists in how vulnerable React Server Component implementations deserialize attacker-controlled request payloads sent to Server Function endpoints.

The vulnerability stems from improper handling of cyclic or recursively referenced data structures during request processing. Specifically, vulnerable deserialization logic within the React Flight protocol can repeatedly consume maliciously crafted models before properly marking them as processed, resulting in excessive resource consumption.

In practical terms, an attacker can send a specially crafted HTTP request to exposed Server Function endpoints in applications using React Server Components. When the payload is processed, the server enters a high-CPU execution state that can persist for extended periods before eventually throwing an error. Because the error is catchable and the attack requires no authentication, attackers can repeatedly issue malicious requests to sustain denial-of-service conditions.

The issue primarily impacts:

• react-server-dom-webpack
• react-server-dom-parcel
• react-server-dom-turbopack

Affected versions include:

• 0.0 through 19.0.4
• 1.0 through 19.1.5
• 2.0 through 19.2.4

Patched releases are available in:

• 0.5
• 1.6
• 2.5

Because React Server Components are heavily used in modern application architectures, particularly high-traffic ecommerce, SaaS, and API-driven environments, exploitation can have significant operational impact. Applications leveraging Next.js App Router deployments are especially exposed due to the widespread use of Server Function endpoints.

Some of the techniques observed or associated with exploitation include:

• Crafted cyclic model payloads designed to trigger recursive deserialization behavior
• Repeated requests to Server Function endpoints to sustain CPU exhaustion
• Abuse of React Flight protocol request parsing logic
• Application-layer denial-of-service attacks targeting availability rather than data theft
• Automated scanning of exposed React and Next.js deployments for vulnerable endpoints

Unlike traditional volumetric DDoS attacks, CVE-2026-23870 enables low-bandwidth, application-layer denial of service by forcing disproportionate server-side computation. This makes the attack particularly attractive because relatively small numbers of malicious requests can create significant backend resource exhaustion.

Bottom Line

CVE-2026-23870 highlights the growing security risks associated with modern server-side rendering frameworks and component-driven architectures. By abusing request deserialization logic in React Server Components, attackers can trigger disproportionate backend resource consumption using relatively low-effort HTTP requests.

Since this vulnerability requires no authentication and targets exposed Server Function endpoints directly, exploitation is straightforward in unpatched environments. Organizations using React Server Components, Next.js App Router, or related server-side rendering frameworks should immediately upgrade affected packages and review exposed application endpoints.

Imperva Cloud WAF and On-Prem WAF customers are protected against related attack activity.

The post CVE-2026-23870: Imperva Customers Protected Against Critical React Server Components DoS Vulnerability appeared first on Blog.