Skip to main content

code100x CMS CVE-2026-8890

| EUVDEUVD-2026-31953 HIGH
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-05-26 VulnCheck GHSA-qggg-4j5m-mx55
8.8
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.8 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Source Code Evidence Fetched
Jun 08, 2026 - 10:08 vuln.today
Analysis Generated
Jun 08, 2026 - 10:08 vuln.today
CVSS changed
May 26, 2026 - 19:22 NVD
8.2 (HIGH) 8.8 (HIGH)

DescriptionCVE.org

code100x contains an authentication bypass vulnerability in the Mobile API that allows unauthenticated attackers to impersonate arbitrary users by supplying a crafted JSON payload in the 'g' HTTP header. The middleware in middleware.ts skips identity header generation when an Auth-Key header is present without validating its value, allowing attackers to inject a spoofed user identity header that the downstream route handler in the mobile courses endpoint accepts as trusted, granting unauthorized access to course data belonging to any enrolled user or administrator.

AnalysisAI

Authentication bypass in code100x CMS Mobile API allows unauthenticated remote attackers to impersonate any enrolled user or administrator by supplying a crafted JSON payload in the 'g' HTTP header alongside an unvalidated 'Auth-Key' header. The middleware shortcuts identity verification whenever an Auth-Key is present without checking its value, letting downstream mobile course endpoints trust attacker-supplied identity claims. Publicly available exploit code exists via the upstream GitHub PR diff, though EPSS probability remains low at 0.08%.

Technical ContextAI

code100x CMS is a Next.js-based course management platform whose Edge middleware (src/middleware.ts) gates API authentication. The flaw is a classic CWE-639 (Authorization Bypass Through User-Controlled Key): the middleware called NextResponse.next() as soon as any 'Auth-Key' header was present, never comparing it against the expected APPX_AUTH_KEY secret and never stripping the user-controlled 'g' header. Downstream mobile course route handlers then deserialize the 'g' header as a trusted identity claim, treating attacker-supplied JSON as an authenticated session principal. The fix introduces a strict equality check against process.env.APPX_AUTH_KEY and explicitly deletes the 'g' header from forwarded requests before invoking next().

RemediationAI

Upstream fix available (PR/commit); released patched version not independently confirmed - pull commit 90b489e or 88c6c5e from https://github.com/code100x/cms/pull/1927, which adds strict equality validation of the Auth-Key header against process.env.APPX_AUTH_KEY and deletes the 'g' header from forwarded requests in src/middleware.ts. Ensure APPX_AUTH_KEY is set to a high-entropy secret in your deployment environment and is not left empty (an empty env var would make the equality check pass for an empty Auth-Key). As a compensating control until you can deploy the patch, terminate traffic at a reverse proxy or WAF that strips inbound 'g' and 'Auth-Key' headers from public requests - note this will break any legitimate mobile-app integration that relies on the Auth-Key path, so coordinate with mobile clients first. Restricting the /api/mobile/* routes to known mobile-gateway IPs is an additional layer but does not address insider or compromised-mobile-gateway scenarios.

Share

CVE-2026-8890 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy