Description
DevGuard provides vulnerability management for the full software supply chain. Prior to 1.2.2, the SessionMiddleware accepts a client-supplied X-Admin-Token HTTP request header and uses its raw string value as the authenticated userID when no Kratos session cookie is present. An unauthenticated attacker who knows or can guess a target user's Kratos identity UUID can issue requests as that user. Where the target user is an organisation admin or owner, this gives the attacker full control over that organisation's DevGuard resources. This vulnerability is fixed in 1.2.2.
Published: 2026-05-12
Score: 9.3 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is in the SessionMiddleware of DevGuard, which, when no Kratos session cookie is present, accepts a client‑supplied X-Admin-Token HTTP header and treats its raw string value as the authenticated user ID. This authentication bypass allows an attacker who knows or can guess a target user’s Keystone identity UUID to issue requests as that user. If the target user holds organization‑level privileges, the attacker gains complete control over that organization’s DevGuard resources. The weakness is an authentication bypass (CWE‑288).

Affected Systems

Vendors and products affected are l3montree‑dev’s DevGuard application, versions prior to 1.2.2. The issue is resolved in version 1.2.2 and later.

Risk and Exploitability

The vulnerability carries a CVSS score of 9.3, indicating critical severity. The EPSS score is not available, so the exact likelihood of exploitation is unknown, and it is not listed in the CISA KEV catalog. The attack vector is inferred to be an unauthenticated HTTP request to the application with the X-Admin-Token header. If an attacker can determine a valid user UUID, the exploit can be performed from any location with network access to the DevGuard instance.

Generated by OpenCVE AI on May 12, 2026 at 19:47 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade DevGuard to version 1.2.2 or later to eliminate the vulnerable middleware logic.
  • Configure the application to reject or strip X-Admin-Token headers on requests that lack a valid Kratos session cookie.
  • Continuously monitor inbound traffic for suspicious X-Admin-Token header usage and guard against potential enumeration of user UUIDs.

Generated by OpenCVE AI on May 12, 2026 at 19:47 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-2g9v-7mr5-fgjg DevGuard has an unauthenticated identity assertion via `X-Admin-Token` header
History

Tue, 12 May 2026 18:15:00 +0000

Type Values Removed Values Added
Description DevGuard provides vulnerability management for the full software supply chain. Prior to 1.2.2, the SessionMiddleware accepts a client-supplied X-Admin-Token HTTP request header and uses its raw string value as the authenticated userID when no Kratos session cookie is present. An unauthenticated attacker who knows or can guess a target user's Kratos identity UUID can issue requests as that user. Where the target user is an organisation admin or owner, this gives the attacker full control over that organisation's DevGuard resources. This vulnerability is fixed in 1.2.2.
Title DevGuard: Unauthenticated identity assertion via `X-Admin-Token` header
Weaknesses CWE-288
References
Metrics cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-12T17:25:20.435Z

Reserved: 2026-04-26T12:13:55.552Z

Link: CVE-2026-42300

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-12T18:17:24.390

Modified: 2026-05-12T18:17:24.390

Link: CVE-2026-42300

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-12T20:00:13Z

Weaknesses