Skip to main content

waoowaoo CVE-2026-15557

| EUVDEUVD-2026-43334 MEDIUM
Improper Authentication (CWE-287)
2026-07-13 VulDB
5.5
CVSS 4.0 · Vendor: VulDB
Share

Severity by source

Vendor (VulDB) PRIMARY
5.5 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
7.3 HIGH

Network-reachable auth bypass requiring no privileges or interaction; low C/I/A as impact is bounded to session impersonation, not full system compromise.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N

Primary rating from Vendor (VulDB).

CVSS VectorVendor: VulDB

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Analysis Generated
Jul 13, 2026 - 11:29 vuln.today
CVSS changed
Jul 13, 2026 - 10:22 NVD
6.9 (MEDIUM) 5.5 (MEDIUM)
CVE Published
Jul 13, 2026 - 09:30 cve.org
MEDIUM 5.5

DescriptionCVE.org

A weakness has been identified in waooAI waoowaoo up to 0.4.1. Affected by this vulnerability is the function getInternalTaskSession/getAuthSession/requireUserAuth/requireProjectAuth/requireProjectAuthLight in the library src/lib/api-auth.ts of the component Internal Task Header Handler. This manipulation of the argument x-internal-user-id request causes improper authentication. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.

AnalysisAI

Authentication bypass in waooAI waoowaoo through version 0.4.1 allows unauthenticated remote attackers to spoof internal user identity by manipulating the x-internal-user-id HTTP request header, defeating the authentication controls implemented across multiple auth functions in the API layer. Affected are the getInternalTaskSession, getAuthSession, requireUserAuth, requireProjectAuth, and requireProjectAuthLight functions in src/lib/api-auth.ts, meaning both user-level and project-level authorization gates can be circumvented. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify network-accessible waoowaoo instance
Delivery
Craft HTTP request with spoofed x-internal-user-id header
Exploit
Submit request to Internal Task Handler endpoint
Execution
Bypass getInternalTaskSession/getAuthSession authentication checks
Impact
Access internal task sessions or project resources as impersonated user

Vulnerability AssessmentAI

Exploitation Exploitation requires network access to the waoowaoo application (version ≤0.4.1) and the ability to send arbitrary HTTP headers - specifically, the x-internal-user-id header - to endpoints handled by the Internal Task Header Handler. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 base score of 5.5 (Medium) reflects network exploitability (AV:N), low complexity (AC:L), no attack requirements (AT:N), no privileges required (PR:N), and no user interaction (UI:N), with low impact across confidentiality, integrity, and availability (VC:L/VI:L/VA:L). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated remote attacker sends a crafted HTTP request to the waoowaoo Internal Task Handler endpoint, including a spoofed x-internal-user-id header set to the identifier of a legitimate user or project. The getInternalTaskSession or getAuthSession function accepts this header at face value, establishing a session under the impersonated identity without credential verification. …
Remediation No vendor-released patch has been identified at time of analysis; the vendor has not responded to the responsible disclosure submitted via GitHub issue #200 (https://github.com/waooAI/waoowaoo/issues/200). … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-15557 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy