Skip to main content

DevGuard CVE-2026-42300

CRITICAL
Authentication Bypass Using an Alternate Path or Channel (CWE-288)
2026-05-05 https://github.com/l3montree-dev/devguard GHSA-2g9v-7mr5-fgjg
9.3
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.3 CRITICAL
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

5
Analysis Updated
May 12, 2026 - 18:29 vuln.today
v2 (cvss_changed)
Re-analysis Queued
May 12, 2026 - 18:22 vuln.today
cvss_changed
CVSS changed
May 12, 2026 - 18:22 NVD
9.3 (CRITICAL)
Source Code Evidence Fetched
May 05, 2026 - 21:33 vuln.today
Analysis Generated
May 05, 2026 - 21:33 vuln.today

DescriptionGitHub Advisory

Impact

The SessionMiddleware accepts a client-supplied X-Admin-Token HTTP request header and uses its raw string value as the authenticated userID when no Kratos session cookie is present. An unauthenticated attacker who knows or can guess a target user's Kratos identity UUID can issue requests as that user. Where the target user is an organisation admin or owner, this gives the attacker full control over that organisation's DevGuard resources.

Patches

The release v1.2.2 patches this issue. Update your DevGuard API Instances to this version.

Workarounds

Configure a reverse proxy to strip the X-Admin-Token header before sending requests to the DevGuard API.

Resources

Fixed commit: https://github.com/l3montree-dev/devguard/commit/6f38310bf93b2a63df3055038f4da82b1f4e6d9a

AnalysisAI

DevGuard versions prior to 1.2.2 allow complete authentication bypass and privilege escalation through manipulation of the X-Admin-Token HTTP header. Unauthenticated remote attackers can impersonate any user - including organization admins and owners - by providing a known or guessed Kratos identity UUID in this header, gaining full control over DevGuard resources. This is a critical authentication bypass requiring no special configuration or privileges. Vendor-released patch: v1.2.2 (commit 6f38310b). No public exploit identified at time of analysis, but exploitation is trivial.

Technical ContextAI

DevGuard is a Go-based security management platform (pkg:go/github.com/l3montree-dev/devguard) that integrates with Ory Kratos for identity management. The vulnerability resides in the SessionMiddleware component within the access control layer. When a Kratos session cookie is absent, the middleware falls back to accepting a client-supplied X-Admin-Token header and directly uses its raw string value as the authenticated userID without validation. The code paths in externalEntityProviderRBAC granted special access privileges (read access for admin tokens, full control over assets and projects) based solely on matching this header value. This represents CWE-288 (Authentication Bypass Using an Alternate Path or Channel) - the middleware created an unauthenticated backdoor by trusting client-supplied authentication tokens. The fix in v1.2.2 removed all adminToken parameters and privilege checks, forcing authentication through the proper Kratos session mechanism. The commit diff shows removal of admin token references from RBAC constructors and conditional privilege grants across multiple access control methods.

RemediationAI

Immediately upgrade all DevGuard API instances to version v1.2.2 or later, available from https://github.com/l3montree-dev/devguard. The fix commit (6f38310bf93b2a63df3055038f4da82b1f4e6d9a) removes the vulnerable admin token authentication path entirely, forcing all requests through proper Kratos session validation. If immediate patching is not feasible, deploy a reverse proxy (nginx, Apache, cloud WAF) configured to strip the X-Admin-Token header from all inbound requests before they reach the DevGuard API - this workaround prevents header injection attacks but requires careful proxy configuration and testing to avoid blocking legitimate functionality. Note that the workaround only mitigates exploitation; it does not fix the underlying code vulnerability. Organizations should audit access logs for suspicious X-Admin-Token header usage, review recent administrative actions for unauthorized changes, and rotate credentials for any potentially compromised accounts. After patching, verify the fix by attempting to authenticate with an X-Admin-Token header (should fail). Full advisory with technical details: https://github.com/l3montree-dev/devguard/security/advisories/GHSA-2g9v-7mr5-fgjg

Share

CVE-2026-42300 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy