Description
code100x contains an authentication bypass vulnerability in the Mobile API that allows unauthenticated attackers to impersonate arbitrary users by supplying a crafted JSON payload in the 'g' HTTP header. The middleware in middleware.ts skips identity header generation when an Auth-Key header is present without validating its value, allowing attackers to inject a spoofed user identity header that the downstream route handler in the mobile courses endpoint accepts as trusted, granting unauthorized access to course data belonging to any enrolled user or administrator.
Published: 2026-05-26
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

code100x Mobile API authentication bypass allows attackers to impersonate any user by crafting a JSON payload in the 'g' HTTP header. Middleware.ts incorrectly skips identity header generation when an Auth-Key header is present, and fails to validate its value. This flaw lets attackers inject a spoofed user identity header that the downstream mobile courses endpoint accepts as trusted, granting unauthorized read access to course data of any enrolled user or administrator.

Affected Systems

The vulnerability affects the code100x CMS product. No specific version numbers are listed in the CNA details, so all releases before the fix in pull request 1927 are potentially vulnerable.

Risk and Exploitability

The CVSS score of 8.8 indicates a high severity, implying significant impact if exploited. EPSS data is unavailable, and the vulnerability is not yet in the CISA KEV catalog, yet the flaw enables remote attackers to succeed via unauthenticated HTTP requests without needing other privileges. An attacker can construct a request to any public endpoint of the mobile API, send a spoofed 'Auth-Key' header, and retrieve unauthorized information, so the risk is high.

Generated by OpenCVE AI on May 26, 2026 at 20:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade code100x to a release that contains the resolution of pull request 1927, ensuring the middleware validates the Auth-Key header before generating identity headers.
  • Audit middleware.ts and any custom authentication logic to confirm that identity headers are only generated after proper validation of Auth-Key or equivalent credentials.
  • Implement defense‑in‑depth by adding API gateway or ingress rules that reject HTTP requests containing suspicious or unexpected 'Auth-Key' headers from unauthenticated clients.

Generated by OpenCVE AI on May 26, 2026 at 20:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 27 May 2026 10:30:00 +0000

Type Values Removed Values Added
First Time appeared Code100x
Code100x code100x
Vendors & Products Code100x
Code100x code100x

Tue, 26 May 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 26 May 2026 19:00:00 +0000

Type Values Removed Values Added
Description code100x contains an authentication bypass vulnerability in the Mobile API that allows unauthenticated attackers to impersonate arbitrary users by supplying a crafted JSON payload in the 'g' HTTP header. The middleware in middleware.ts skips identity header generation when an Auth-Key header is present without validating its value, allowing attackers to inject a spoofed user identity header that the downstream route handler in the mobile courses endpoint accepts as trusted, granting unauthorized access to course data belonging to any enrolled user or administrator.
Title code100x Mobile API Authentication Bypass via Header Spoofing
Weaknesses CWE-639
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

cvssV4_0

{'score': 8.8, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Code100x Code100x
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-26T19:25:54.063Z

Reserved: 2026-05-18T20:47:38.669Z

Link: CVE-2026-8890

cve-icon Vulnrichment

Updated: 2026-05-26T19:24:59.211Z

cve-icon NVD

Status : Deferred

Published: 2026-05-26T19:16:34.007

Modified: 2026-05-26T20:16:21.293

Link: CVE-2026-8890

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-27T10:08:44Z

Weaknesses
  • CWE-639

    Authorization Bypass Through User-Controlled Key