Skip to main content

ericc-ch copilot-api CVE-2026-6874

| EUVDEUVD-2026-25137 LOW
Reliance on Reverse DNS Resolution for a Security-Critical Action (CWE-350)
2026-04-23 cna@vuldb.com GHSA-3vr4-cvmg-7fx4
2.1
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.1 LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

6
Severity Changed
Apr 29, 2026 - 01:12 NVD
MEDIUM LOW
CVSS changed
Apr 29, 2026 - 01:12 NVD
5.3 (MEDIUM) 2.1 (LOW)
Analysis Generated
Apr 23, 2026 - 07:02 vuln.today
EUVD ID Assigned
Apr 23, 2026 - 00:22 euvd
EUVD-2026-25137
Analysis Generated
Apr 23, 2026 - 00:22 vuln.today
CVE Published
Apr 23, 2026 - 00:16 nvd
LOW 2.1

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 2 npm packages depend on copilot-api (2 direct, 0 indirect)

Ecosystem-wide dependent count for version 0.7.0.

DescriptionCVE.org

A vulnerability was determined in ericc-ch copilot-api up to 0.7.0. This impacts an unknown function of the file /token of the component Header Handler. Executing a manipulation of the argument Host can lead to reliance on reverse dns resolution. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Reliance on reverse DNS resolution in ericc-ch copilot-api up to version 0.7.0 allows authenticated remote attackers to manipulate the Host header in the /token endpoint, leading to information disclosure. The vulnerability affects the Header Handler component and has been publicly disclosed with exploit code available; the vendor did not respond to early disclosure notification.

Technical ContextAI

The copilot-api application processes HTTP requests to the /token endpoint via a Header Handler component that improperly validates or sanitizes the Host header. Rather than using a whitelist or cryptographic validation of the request origin, the application relies on reverse DNS resolution of the client's IP address to determine legitimacy or context. This design flaw (CWE-350: Reliance on Reverse DNS Resolution Without IP Address Verification) allows an attacker to spoof DNS responses or manipulate header values, causing the application to trust malicious input and leak sensitive information. The vulnerability requires authentication (PR:L in CVSS vector), indicating the attacker must have valid credentials to the application.

RemediationAI

No vendor-released patch has been identified at time of analysis. The vendor did not respond to early disclosure notification, making official patching uncertain. Immediate mitigation options include: upgrade to a version newer than 0.7.0 if available (verify with the project maintainers at https://github.com/August829 or monitor releases), restrict access to the /token endpoint using network-level controls such as WAF rules that reject suspicious Host headers or API gateway authentication, implement strict Host header validation on a reverse proxy (whitelist known legitimate hosts, block wildcard/spoofed values), and enforce principle of least privilege by limiting which users have authentication credentials to copilot-api. Additionally, monitor reverse DNS queries from the application and alert on unusual patterns. If patching is not feasible, consider disabling automatic Host header trust and requiring explicit authorization tokens for sensitive operations.

Share

CVE-2026-6874 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy