Intel

AIKIDO-2026-566403

familia is vulnerable to Authentication Bypass

Authentication Bypass Pre-CVE
Found by Aikido Intel before public disclosure or CVE publication.
Published Today

59

Medium Risk

This Affects:

RUBYfamilia
2.11.0 - 2.11.0
Fixed in 2.11.1
Are you affected? Scan for Free

TL;DR

Familia::VerifiableIdentifier.secret_key loads the HMAC signing key from the VERIFIABLE_ID_HMAC_SECRET environment variable and only raises when the variable is entirely absent. A value that is present but blank or whitespace-only passes the check and is used as the HMAC key, so verifiable identifiers are signed and verified under an effectively empty secret. An attacker aware of the empty key can forge identifiers that pass verified_identifier?, defeating the authenticity guarantee the module provides. The fix treats a nil, empty, or whitespace-only secret the same as a missing one and raises instead of signing under an empty key.

Who does this affect?

You are affected if you are using a version that falls within the vulnerable range and the VERIFIABLE_ID_HMAC_SECRET environment variable is set to an empty or whitespace-only value.

Background info

familia is vulnerable to Authentication Bypass in versions 2.11.0 - 2.11.0.

How to fix this

Upgrade the familia library to the patch version.