Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
8DescriptionCVE.org
A flaw has been found in 666ghj MiroFish up to 0.1.2. This affects the function create_app of the file backend/app/__init__.py of the component REST API Endpoint. Executing a manipulation can lead to missing authentication. It is possible to launch the attack remotely. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet.
AnalysisAI
Missing authentication in MiroFish REST API allows remote attackers to bypass security controls and access protected endpoints without credentials. The vulnerability affects MiroFish versions up to 0.1.2 in the create_app function within backend/app/__init__.py. A publicly available exploit demonstrates the attack (GitHub issue #487), and the vulnerability is trivially exploitable with CVSS complexity rated Low and no authentication required (CVSS:3.1/AV:N/AC:L/PR:N/UI:N). The vendor has not responded to responsible disclosure attempts, leaving users without an official patch. With CVSS 7.3 (High) and confirmed public POC, this represents an immediate risk to deployments exposing the REST API to untrusted networks.
Technical ContextAI
This vulnerability stems from CWE-306 (Missing Authentication for Critical Function) in the MiroFish REST API initialization code. The create_app function in backend/app/__init__.py fails to properly enforce authentication requirements on API endpoints, allowing unauthenticated remote callers to interact with protected resources. MiroFish appears to be a Python-based application using Flask or similar framework for its REST API (based on the create_app factory pattern common in Flask applications). The flaw likely involves missing decorators, middleware, or before_request handlers that should validate authentication tokens or session credentials before processing API requests. The CPE identifier cpe:2.3:a:666ghj:mirofish indicates this is a third-party open-source project maintained by developer 666ghj on GitHub.
RemediationAI
No vendor-released patch exists at time of analysis - the project maintainer has not responded to vulnerability disclosure via GitHub issue #487. Organizations must implement compensating controls immediately: (1) Deploy a reverse proxy (nginx, Apache, or cloud WAF) in front of MiroFish with authentication enforcement at the proxy layer using HTTP Basic Auth, OAuth2, or API keys; note this adds operational complexity for legitimate API clients who must now authenticate twice. (2) Restrict network access to the REST API endpoints using firewall rules, allowing only trusted IP ranges or internal networks; this breaks legitimate remote API access. (3) If the REST API is not required for operations, disable it entirely by modifying backend/app/__init__.py to comment out API route registration; this eliminates API functionality. (4) Monitor for unauthorized API access attempts via application logs and network intrusion detection. (5) Consider forking the project and applying authentication decorators to vulnerable endpoints, but this requires Python/Flask expertise and ongoing maintenance burden. Reference the exploit details at https://vuldb.com/vuln/359621 and https://github.com/666ghj/MiroFish/issues/487 to understand the exact attack pattern for detection signatures. Organizations should urgently evaluate alternative products given vendor unresponsiveness.
Remote command injection in MiroFish versions up to 0.1.2 allows unauthenticated attackers to execute arbitrary system c
Path traversal in MiroFish up to version 0.1.2 allows remote unauthenticated attackers to read arbitrary files via manip
Information disclosure in MiroFish up to version 0.1.2 allows remote attackers to leak sensitive data through manipulati
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-25719