DevGuard CVE-2026-42300
CRITICALSeverity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
5DescriptionGitHub Advisory
Impact
The SessionMiddleware accepts a client-supplied X-Admin-Token HTTP request header and uses its raw string value as the authenticated userID when no Kratos session cookie is present. An unauthenticated attacker who knows or can guess a target user's Kratos identity UUID can issue requests as that user. Where the target user is an organisation admin or owner, this gives the attacker full control over that organisation's DevGuard resources.
Patches
The release v1.2.2 patches this issue. Update your DevGuard API Instances to this version.
Workarounds
Configure a reverse proxy to strip the X-Admin-Token header before sending requests to the DevGuard API.
Resources
Fixed commit: https://github.com/l3montree-dev/devguard/commit/6f38310bf93b2a63df3055038f4da82b1f4e6d9a
AnalysisAI
DevGuard versions prior to 1.2.2 allow complete authentication bypass and privilege escalation through manipulation of the X-Admin-Token HTTP header. Unauthenticated remote attackers can impersonate any user - including organization admins and owners - by providing a known or guessed Kratos identity UUID in this header, gaining full control over DevGuard resources. This is a critical authentication bypass requiring no special configuration or privileges. Vendor-released patch: v1.2.2 (commit 6f38310b). No public exploit identified at time of analysis, but exploitation is trivial.
Technical ContextAI
DevGuard is a Go-based security management platform (pkg:go/github.com/l3montree-dev/devguard) that integrates with Ory Kratos for identity management. The vulnerability resides in the SessionMiddleware component within the access control layer. When a Kratos session cookie is absent, the middleware falls back to accepting a client-supplied X-Admin-Token header and directly uses its raw string value as the authenticated userID without validation. The code paths in externalEntityProviderRBAC granted special access privileges (read access for admin tokens, full control over assets and projects) based solely on matching this header value. This represents CWE-288 (Authentication Bypass Using an Alternate Path or Channel) - the middleware created an unauthenticated backdoor by trusting client-supplied authentication tokens. The fix in v1.2.2 removed all adminToken parameters and privilege checks, forcing authentication through the proper Kratos session mechanism. The commit diff shows removal of admin token references from RBAC constructors and conditional privilege grants across multiple access control methods.
RemediationAI
Immediately upgrade all DevGuard API instances to version v1.2.2 or later, available from https://github.com/l3montree-dev/devguard. The fix commit (6f38310bf93b2a63df3055038f4da82b1f4e6d9a) removes the vulnerable admin token authentication path entirely, forcing all requests through proper Kratos session validation. If immediate patching is not feasible, deploy a reverse proxy (nginx, Apache, cloud WAF) configured to strip the X-Admin-Token header from all inbound requests before they reach the DevGuard API - this workaround prevents header injection attacks but requires careful proxy configuration and testing to avoid blocking legitimate functionality. Note that the workaround only mitigates exploitation; it does not fix the underlying code vulnerability. Organizations should audit access logs for suspicious X-Admin-Token header usage, review recent administrative actions for unauthorized changes, and rotate credentials for any potentially compromised accounts. After patching, verify the fix by attempting to authenticate with an X-Admin-Token header (should fail). Full advisory with technical details: https://github.com/l3montree-dev/devguard/security/advisories/GHSA-2g9v-7mr5-fgjg
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-2g9v-7mr5-fgjg