Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Network-reachable auth bypass requiring no privileges or interaction; low C/I/A as impact is bounded to session impersonation, not full system compromise.
Primary rating from Vendor (VulDB).
CVSS VectorVendor: VulDB
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
A weakness has been identified in waooAI waoowaoo up to 0.4.1. Affected by this vulnerability is the function getInternalTaskSession/getAuthSession/requireUserAuth/requireProjectAuth/requireProjectAuthLight in the library src/lib/api-auth.ts of the component Internal Task Header Handler. This manipulation of the argument x-internal-user-id request causes improper authentication. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.
AnalysisAI
Authentication bypass in waooAI waoowaoo through version 0.4.1 allows unauthenticated remote attackers to spoof internal user identity by manipulating the x-internal-user-id HTTP request header, defeating the authentication controls implemented across multiple auth functions in the API layer. Affected are the getInternalTaskSession, getAuthSession, requireUserAuth, requireProjectAuth, and requireProjectAuthLight functions in src/lib/api-auth.ts, meaning both user-level and project-level authorization gates can be circumvented. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires network access to the waoowaoo application (version ≤0.4.1) and the ability to send arbitrary HTTP headers - specifically, the x-internal-user-id header - to endpoints handled by the Internal Task Header Handler. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The CVSS 4.0 base score of 5.5 (Medium) reflects network exploitability (AV:N), low complexity (AC:L), no attack requirements (AT:N), no privileges required (PR:N), and no user interaction (UI:N), with low impact across confidentiality, integrity, and availability (VC:L/VI:L/VA:L). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated remote attacker sends a crafted HTTP request to the waoowaoo Internal Task Handler endpoint, including a spoofed x-internal-user-id header set to the identifier of a legitimate user or project. The getInternalTaskSession or getAuthSession function accepts this header at face value, establishing a session under the impersonated identity without credential verification. … |
| Remediation | No vendor-released patch has been identified at time of analysis; the vendor has not responded to the responsible disclosure submitted via GitHub issue #200 (https://github.com/waooAI/waoowaoo/issues/200). … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-287 – Improper Authentication
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43334