Skip to main content

Neotoma CVE-2026-45577

| EUVDEUVD-2026-33367 MEDIUM
Authentication Bypass Using an Alternate Path or Channel (CWE-288)
2026-05-18 https://github.com/markmhendrickson/neotoma GHSA-5cvp-p7p4-mcx9
6.9
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.9 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
CVSS changed
May 29, 2026 - 18:22 NVD
6.9 (MEDIUM)
Source Code Evidence Fetched
May 18, 2026 - 15:01 vuln.today
Analysis Generated
May 18, 2026 - 15:01 vuln.today

DescriptionGitHub Advisory

Neotoma versions starting at v0.6.0 can treat public reverse-proxied requests as local when the app receives them over a loopback socket and no Bearer token is present.

In affected deployments, the REST auth middleware can resolve unauthenticated requests as the local development user, making the hosted Inspector and related API surface reachable without credentials.

Impact: unauthorized access to production data exposed through the Inspector/API on affected deployments.

Affected condition: a public deployment behind a reverse proxy or same-host tunnel that forwards traffic to the Node process over loopback.

Remediation implemented on the main branch: local-request detection now fails closed in production unless loopback trust is explicitly enabled, and forwarded public clients remain remote.

Patched release version is pending; this draft will be updated once the fix is released.

AnalysisAI

Authentication bypass in Neotoma (npm package for Node.js data exploration) versions 0.6.0 through 0.11.0 allows unauthenticated remote attackers to access production Inspector UI and API endpoints when deployed behind reverse proxies. The vulnerability stems from CWE-288 authentication logic flaw where the REST middleware incorrectly treats reverse-proxied public requests as local development traffic when received over loopback sockets without Bearer tokens, granting unauthorized local-user privileges. Fixed in version 0.11.1 released April 2025, which implements X-Forwarded-For validation and fails closed in production environments. No public exploit code identified at time of analysis, though exploitation is straightforward for attackers who identify affected deployments.

Technical ContextAI

Neotoma is an npm package (pkg:npm/neotoma) providing data exploration and inspection capabilities for Node.js applications. The vulnerability arises from a CWE-288 Authentication Bypass by Assuming a Trusted Path flaw in the REST authentication middleware introduced in version 0.6.0. The middleware performs local-request detection by checking if connections arrive over loopback interfaces (127.0.0.1/::1). In typical reverse-proxy architectures (nginx, Apache, Cloudflare Tunnel, etc.), the proxy terminates external connections and forwards requests to the backend Node process over localhost. Without inspecting X-Forwarded-For headers, the middleware cannot distinguish legitimate local development traffic from proxied public requests. When no Bearer token is present, affected versions grant these proxied requests the privileges of the local development user, bypassing authentication entirely and exposing the Inspector interface and associated API endpoints that would normally require credentials.

RemediationAI

Upgrade immediately to Neotoma version 0.11.1 or later, which implements production-safe local-request detection that validates X-Forwarded-For headers and fails closed when reverse-proxy traffic is detected. Install via npm: 'npm install -g neotoma@0.11.1' for CLI users or update package.json dependency to '"neotoma": "^0.11.1"' for embedded usage. Release notes and migration guidance are available at https://github.com/markmhendrickson/neotoma/releases/tag/v0.11.1. If immediate patching is not feasible, implement compensating controls: (1) Configure the reverse proxy to require authentication before forwarding to Neotoma backend, adding an authorization layer external to the application - trade-off is managing separate auth mechanism and potential UX friction; (2) Bind the Neotoma process to a non-loopback interface and configure firewall rules to restrict access to trusted IP ranges only - trade-off is increased network exposure and operational complexity; (3) Temporarily disable the Inspector interface in production if the vulnerability surface is not required for operational needs - trade-off is loss of production debugging capability. Note that setting NEOTOMA_TRUST_PROD_LOOPBACK=1 in patched versions re-enables loopback trust and should only be used in isolated environments where loopback traffic is guaranteed local.

Share

CVE-2026-45577 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy