Skip to main content

Vane CVE-2026-9371

| EUVDEUVD-2026-31583 LOW
Missing Authentication for Critical Function (CWE-306)
2026-05-24 VulDB GHSA-wp4r-2xxm-f94x
2.9
CVSS 4.0 · NVD

Severity by source

NVD PRIMARY
2.9 LOW
CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

3
Severity Changed
May 26, 2026 - 20:07 NVD
MEDIUM LOW
CVSS changed
May 26, 2026 - 20:07 NVD
5.6 (MEDIUM) 2.9 (LOW)
Analysis Generated
May 24, 2026 - 10:15 vuln.today

DescriptionCVE.org

A security vulnerability has been detected in ItzCrazyKns Vane up to 1.12.1. Affected by this issue is some unknown functionality of the file route.ts of the component API. The manipulation leads to missing authentication. The attack may be initiated remotely. The attack's complexity is rated as high. The exploitation is known to be difficult. The exploit has been disclosed publicly and may be used. It appears that basic authentication is planned.

AnalysisAI

Missing authentication in Vane up to 1.12.1 allows remote attackers to bypass intended access controls on API route.ts endpoints, potentially exposing or manipulating API functionality without credentials. Publicly available exploit code exists (GitHub issue #1123), though CVSS rates attack complexity as high (AC:H) with difficult exploitation, resulting in limited confidentiality, integrity, and availability impact (C:L/I:L/A:L). EPSS data not provided. Not listed in CISA KEV. Vendor (ItzCrazyKns) reportedly plans to implement basic authentication as remediation.

Technical ContextAI

This vulnerability stems from CWE-306 (Missing Authentication for Critical Function) in the route.ts file within Vane's API component. Vane appears to be a web application framework or service by developer ItzCrazyKns. The affected code fails to enforce authentication checks before processing API requests to specific route handlers, allowing unauthenticated remote callers to invoke functionality that should require credentials. The CPE identifier confirms affected versions through 1.12.1. This class of vulnerability is common in modern API frameworks when developers either omit authentication middleware entirely, misconfigure route protection, or fail to apply authentication decorators/guards to sensitive endpoints. The CVSS vector AV:N indicates network-accessible attack surface, while AC:H (high complexity) and the description's 'difficult exploitation' suggest additional environmental factors or attack prerequisites beyond simple unauthenticated access may be required for successful exploitation.

RemediationAI

Upgrade to Vane version 1.12.2 or later once the vendor releases a patched version implementing authentication controls, monitoring the GitHub repository at https://github.com/ItzCrazyKns/Vane for release announcements. The vendor has indicated plans to implement basic authentication (per CVE description and CVSS RL:W workaround status), though exact fix version is not confirmed in provided data. Until patched version deploys, implement network-level access controls: restrict API endpoint access to trusted IP ranges or internal networks only using firewall rules or reverse proxy ACLs, accepting the trade-off of reduced external API accessibility. Deploy a web application firewall (WAF) or API gateway with custom rules requiring authentication headers on route.ts endpoints, though this introduces infrastructure complexity and potential latency. Review application logs for unauthorized API access patterns matching exploit signatures from GitHub issue #1123. If Vane API endpoints are non-essential in your deployment, disable the API component entirely until patched. Monitor GitHub issues #1122 and #1123 for vendor-provided workarounds or configuration guidance. Consult VulDB advisories at https://vuldb.com/vuln/365334/cti for additional mitigation strategies.

Share

CVE-2026-9371 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy