Description
@acastellon/auth is an authentication control system for microservices. Versions prior to 2.3.0 appear to allow an unauthenticated authentication bypass in validateToken() through spoofable auth-user and Host request headers. The validateToken middleware contains a service-to-service bypass for auth-user: service-brother when req.get('host').startsWith(getHostName()). Both values involved in the check can be influenced by an unauthenticated HTTP client: auth-user is a request header, and Host is also client-controlled. As a result, a remote unauthenticated attacker can send a request with crafted headers and bypass token validation before the normal legacy/JWT/OIDC validation logic runs. A fix has been implemented in v2.3.0.
Published: 2026-07-01
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability allows an unauthenticated attacker to bypass token validation by sending specially crafted HTTP headers. The validateToken middleware accepts two client-controlled headers—auth-user and Host—used in a service‑to‑service check that is performed before the standard JWT/OIDC validation. By choosing an auth-user value of "service-brother" and a Host value that starts with the protected hostname, the attacker can trick the system into skipping authentication checks, thereby gaining unauthorized access to protected microservices. The weakness is categorized as CWE‑287.

Affected Systems

The affected product is the @acastellon/auth authentication module, version 2.2.x and earlier. Upgrading to version 2.3.0 or later resolves the issue.

Risk and Exploitability

The CVSS score of 8.7 indicates a high severity of the vulnerability. The EPSS score is not available, so the likelihood of exploitation cannot be quantified from the provided data, but the absence of KEV listing suggests it has not yet been widely exploited. The attack vector is remote and does not require any special privileges; an attacker can trigger the bypass by sending an HTTP request with the spoofed headers from any network location that can reach the service.

Generated by OpenCVE AI on July 1, 2026 at 21:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the @acastellon/auth module to version 2.3.0 or later.
  • If an upgrade is not immediately possible, configure upstream proxies or API gateways to reject or strip the auth-user and Host headers from unauthenticated requests.
  • Add custom middleware to enforce origin checks and only allow trusted service‑to‑service traffic on internal networks.

Generated by OpenCVE AI on July 1, 2026 at 21:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-gfj5-979r-92pw @acastellon/auth: Authentication bypass via spoofable headers in validateToken()
History

Wed, 01 Jul 2026 14:30:00 +0000

Type Values Removed Values Added
Description @acastellon/auth is an authentication control system for microservices. Versions prior to 2.3.0 appear to allow an unauthenticated authentication bypass in validateToken() through spoofable auth-user and Host request headers. The validateToken middleware contains a service-to-service bypass for auth-user: service-brother when req.get('host').startsWith(getHostName()). Both values involved in the check can be influenced by an unauthenticated HTTP client: auth-user is a request header, and Host is also client-controlled. As a result, a remote unauthenticated attacker can send a request with crafted headers and bypass token validation before the normal legacy/JWT/OIDC validation logic runs. A fix has been implemented in v2.3.0.
Title @acastellon/auth has an authentication bypass via spoofable headers in validateToken()
Weaknesses CWE-287
References
Metrics cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N'}


Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-07-01T14:25:44.452Z

Reserved: 2026-06-30T18:19:58.378Z

Link: CVE-2026-58399

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-01T21:15:05Z

Weaknesses