Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
code100x contains an authentication bypass vulnerability in the Mobile API that allows unauthenticated attackers to impersonate arbitrary users by supplying a crafted JSON payload in the 'g' HTTP header. The middleware in middleware.ts skips identity header generation when an Auth-Key header is present without validating its value, allowing attackers to inject a spoofed user identity header that the downstream route handler in the mobile courses endpoint accepts as trusted, granting unauthorized access to course data belonging to any enrolled user or administrator.
AnalysisAI
Authentication bypass in code100x CMS Mobile API allows unauthenticated remote attackers to impersonate any enrolled user or administrator by supplying a crafted JSON payload in the 'g' HTTP header alongside an unvalidated 'Auth-Key' header. The middleware shortcuts identity verification whenever an Auth-Key is present without checking its value, letting downstream mobile course endpoints trust attacker-supplied identity claims. Publicly available exploit code exists via the upstream GitHub PR diff, though EPSS probability remains low at 0.08%.
Technical ContextAI
code100x CMS is a Next.js-based course management platform whose Edge middleware (src/middleware.ts) gates API authentication. The flaw is a classic CWE-639 (Authorization Bypass Through User-Controlled Key): the middleware called NextResponse.next() as soon as any 'Auth-Key' header was present, never comparing it against the expected APPX_AUTH_KEY secret and never stripping the user-controlled 'g' header. Downstream mobile course route handlers then deserialize the 'g' header as a trusted identity claim, treating attacker-supplied JSON as an authenticated session principal. The fix introduces a strict equality check against process.env.APPX_AUTH_KEY and explicitly deletes the 'g' header from forwarded requests before invoking next().
RemediationAI
Upstream fix available (PR/commit); released patched version not independently confirmed - pull commit 90b489e or 88c6c5e from https://github.com/code100x/cms/pull/1927, which adds strict equality validation of the Auth-Key header against process.env.APPX_AUTH_KEY and deletes the 'g' header from forwarded requests in src/middleware.ts. Ensure APPX_AUTH_KEY is set to a high-entropy secret in your deployment environment and is not left empty (an empty env var would make the equality check pass for an empty Auth-Key). As a compensating control until you can deploy the patch, terminate traffic at a reverse proxy or WAF that strips inbound 'g' and 'Auth-Key' headers from public requests - note this will break any legitimate mobile-app integration that relies on the Auth-Key path, so coordinate with mobile clients first. Restricting the /api/mobile/* routes to known mobile-gateway IPs is an additional layer but does not address insider or compromised-mobile-gateway scenarios.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31953
GHSA-qggg-4j5m-mx55