CVE-2026-4926
DOCUMENTATION: A flaw was found in path-to-regexp. A remote attacker could exploit this vulnerability by providing specially crafted input that generates a regular expression with multiple sequential optional groups. This leads to an exponential growth in the generated regular expression, causing a Denial of Service (DoS) due to excessive resource consumption.
STATEMENT: This is an Important flaw in path-to-regexp that can lead to a Denial of Service. The vulnerability occurs when specially crafted input containing multiple sequential optional groups is used to generate regular expressions, causing exponential resource consumption.
The Red Hat Advanced Cluster Security is not affected by this issue since it's shipping a path-to-regexp version which doesn't contain the vulnerable code.
MITIGATION: To mitigate this vulnerability, limit the use of multiple sequential optional groups in route patterns within applications that use path-to-regexp. Additionally, avoid directly passing user-controlled input as route patterns to prevent the generation of maliciously crafted regular expressions.
Package Versions Affected
Automatically patch vulnerabilities without upgrading
CVSS Version
Related Resources
References
https://access.redhat.com/security/cve/CVE-2026-4926
Basic Information
