Deploy autonomous AI agents that reason, exploit, and validate complex vulnerability chains — not another scanner, an agentic system that thinks like a senior pentester.
CVE-2026-42303 is a low severity vulnerability with a CVSS score of 0.0. No known exploits currently, and patches are available.
Very low probability of exploitation
EPSS predicts the probability of exploitation in the next 30 days based on real-world threat data, complementing CVSS severity scores with actual risk assessment.
Fides deployments that enable both subject identity verification and duplicate privacy request detection are affected by a vulnerability in which an administrator can approve a privacy request whose identity was never verified. For erasure policies, this can result in unauthorized deletion of a data subject's records across every integration configured in the affected deployment.
A related lower-severity denial-of-service issue, in which an unauthenticated attacker could prevent a legitimate data subject from completing their own privacy requests, is also patched in the fix for this vulnerability.
This vulnerability only affects deployments that use Fides's privacy request (data subject request) features, also known collectively as "Lethe". Deployments that do not submit, process, or manage privacy requests through Fides are not affected.
Within deployments that do use privacy request features, your deployment is affected if both of the following settings are effectively set to true:
subject_identity_verification_requiredprivacy_request_duplicate_detection.enabledBoth settings default to false.
Each setting can be configured in multiple places. If the same setting is configured in more than one place, Fides resolves conflicts in the following precedence order, highest priority first:
fides.toml - read at webserver startupTo determine whether your deployment is affected, check each setting in every location that applies to your configuration management.
subject_identity_verification_required
fides.toml: under the [execution] section as subject_identity_verification_required = truePlease cite this page when referencing data from Strobes VI. Proper attribution helps support our vulnerability intelligence research.
FIDES__EXECUTION__SUBJECT_IDENTITY_VERIFICATION_REQUIRED=trueprivacy_request_duplicate_detection.enabled
fides.toml: under the [privacy_request_duplicate_detection] section as enabled = trueFIDES__PRIVACY_REQUEST_DUPLICATE_DETECTION__ENABLED=truefides.toml or environment variable will not appear here.When duplicate detection classifies a privacy request as a duplicate before its identity has been verified, the administrative interface presents that request with Approve, Deny, and Delete options. An administrator performing routine duplicate request triage may approve such a request without realising the identity was never verified. The request is then processed as if verification had succeeded.
An attacker exploits this by submitting two privacy requests using a target's email address, never completing the OTP verification. The second request is classified as a duplicate and becomes approvable through the administrative interface.
The fix for this vulnerability also patches a lower-severity issue, present in versions 2.82.0 through 2.83.1, in which a legitimate data subject could not complete identity verification on a privacy request that had been classified as a duplicate, allowing an unauthenticated attacker to block that data subject from exercising their privacy rights through the affected deployment.
An unauthenticated attacker who knows a target's email address and can reach the public Privacy Center can cause an erasure privacy request to be approved by an administrator and processed without identity verification. The result is unauthorized deletion of the data subject's records across every integration configured in the affected deployment. Effects may be permanent and may cascade into downstream systems.
Access privacy requests are a less meaningful vector: the resulting access package is delivered to the data subject's registered email address, not to the attacker, so the attacker does not gain the data. The request still represents unauthorized processing.
The vulnerabilities have been patched in Fides OSS version 2.83.2. Users are advised to upgrade to this version or later to secure their systems against these threats.
Fides Enterprise (fidesplus) version 2.83.2 contains the same patch.
Disable duplicate detection by setting privacy_request_duplicate_detection.enabled to false. This can be changed under Settings → Privacy Requests → Duplicate detection in the Admin UI). This fully mitigates the vulnerability and is the recommended interim workaround for deployments that cannot immediately upgrade.
Administrators of deployments that must retain duplicate detection should deny or delete, rather than approve, any privacy request whose identity has not been verified. This reduces the likelihood of exploitation but relies on administrator vigilance during each triage action.
This vulnerability has been assigned a severity of MEDIUM.
The rating reflects the fact that exploitation requires an administrator to approve the malicious request. An attacker alone cannot cause a privacy request to be processed. The administrative interface understates the verification state of a duplicate-classified request, which increases the likelihood of inadvertent approval during routine triage, but without administrator user interaction the vulnerability is not exploitable.
The related denial-of-service issue addressed in the same patch is also rated medium-severity in isolation and does not raise the overall severity of this advisory.