Description
Neotoma provides versioned records that persist across agent runs. From 0.6.0 to before 0.11.1, Neotoma can treat public reverse-proxied requests as local when the app receives them over a loopback socket and no Bearer token is present. In affected deployments, the REST auth middleware can resolve unauthenticated requests as the local development user, making the hosted Inspector and related API surface reachable without credentials. This vulnerability is fixed in 0.11.1.
Published: 2026-05-29
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Neotoma’s authentication middleware incorrectly treats requests received over a loopback socket and lacking a Bearer token as coming from a local development user. This bypass allows an attacker to access the Inspector and API without credentials, resulting in potential data exposure, tampering, or further exploitation of the host environment. The flaw is rooted in missing authentication enforcement (CWE‑288) and an insecure default user model (CWE‑306).

Affected Systems

The vulnerability affects Neotoma deployments from versions 0.6.0 through just before 0.11.1. The affected vendor is markmhendrickson: Neotoma. Any installation running an affected version and exposed to a reverse‑proxy that forwards traffic to the loopback interface is at risk.

Risk and Exploitability

The CVSS score of 6.9 reflects a moderate severity with potential for remote exploitation. No EPSS score is available, so the likelihood of exploitation cannot be quantified from the provided data. The vulnerability is not listed in CISA KEV, indicating no confirmed public exploits at this time. Attackers can exploit the flaw by configuring a reverse‑proxy to send requests over the loopback socket without a Bearer token, causing the backend to authenticate them as the local development user. This is a remote access scenario that does not require administrative credentials to the host.

Generated by OpenCVE AI on May 29, 2026 at 18:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Neotoma to version 0.11.1 or later, which contains the authentication fix.
  • Configure any reverse‑proxy or network component to prevent requests that target the loopback interface from bypassing authentication checks.
  • Restrict or disable the default local development user account so that unauthenticated local requests cannot gain privileged API access.

Generated by OpenCVE AI on May 29, 2026 at 18:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-5cvp-p7p4-mcx9 Neotoma: Unauthenticated Inspector/API access via reverse-proxy loopback auth bypass
History

Sat, 30 May 2026 23:00:00 +0000

Type Values Removed Values Added
First Time appeared Markmhendrickson
Markmhendrickson neotoma
Vendors & Products Markmhendrickson
Markmhendrickson neotoma

Fri, 29 May 2026 20:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 29 May 2026 17:30:00 +0000

Type Values Removed Values Added
Description Neotoma provides versioned records that persist across agent runs. From 0.6.0 to before 0.11.1, Neotoma can treat public reverse-proxied requests as local when the app receives them over a loopback socket and no Bearer token is present. In affected deployments, the REST auth middleware can resolve unauthenticated requests as the local development user, making the hosted Inspector and related API surface reachable without credentials. This vulnerability is fixed in 0.11.1.
Title Neotoma: Unauthenticated Inspector/API access via reverse-proxy loopback auth bypass
Weaknesses CWE-288
CWE-306
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Markmhendrickson Neotoma
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-29T19:28:05.378Z

Reserved: 2026-05-12T19:00:14.600Z

Link: CVE-2026-45577

cve-icon Vulnrichment

Updated: 2026-05-29T19:27:46.868Z

cve-icon NVD

Status : Deferred

Published: 2026-05-29T18:17:10.007

Modified: 2026-06-01T18:45:39.580

Link: CVE-2026-45577

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-30T21:18:23Z

Weaknesses
  • CWE-288

    Authentication Bypass Using an Alternate Path or Channel

  • CWE-306

    Missing Authentication for Critical Function