Severity by source
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from Vendor (VulnCheck) · only source for this CVE.
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionCVE.org
Vibe-Trading before 0.1.10's local API server trusts the TCP peer address to bypass the API_AUTH_KEY bearer-token check for loopback clients and performs no Host header validation, while binding to 0.0.0.0 with credentialed CORS by default. A DNS-rebinding web page can therefore issue authenticated requests to the local API as a trusted loopback client. Because loopback requests also auto-enable shell tools, an attacker can reach POST /swarm/runs with a built-in preset that permits the bash tool and achieve remote code execution as the API process user; the same bypass allows starting the live runner and overwriting LLM and data-source settings to redirect provider traffic and exfiltrate credentials.
AnalysisAI
Remote code execution in HKUDS Vibe-Trading before 0.1.10 is reachable via a DNS-rebinding attack against its local API server, which trusts the TCP peer address to waive the API_AUTH_KEY bearer-token check for loopback clients, performs no Host-header validation, and binds to 0.0.0.0 with credentialed CORS by default. Because loopback requests also auto-enable shell tools, a malicious web page visited by the victim can issue authenticated POST /swarm/runs calls with a built-in preset that permits the bash tool, executing arbitrary commands as the API process user and also overwriting LLM and data-source settings to redirect provider traffic and exfiltrate credentials. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Recommended ActionAI
Within 24 hours: Audit environment to identify all HKUDS Vibe-Trading instances and document current versions. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Vibe Trading
View allTrading mandate forgery in HKUDS Vibe-Trading before 0.1.10 lets an admitted (low-privileged) caller supply a proposal i
Path traversal in Vibe-Trading before version 0.1.10 allows low-privileged authenticated network attackers to write arbi
Path traversal in Vibe-Trading's swarm run directory handler allows low-privileged network attackers to read and overwri
Same weakness CWE-346 – Origin Validation Error
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-40350
GHSA-q796-5g5h-cqcc