Skip to main content

Astro EUVD-2026-14982

| CVE-2026-33768 MEDIUM
Unintended Proxy or Intermediary ('Confused Deputy') (CWE-441)
2026-03-24 GitHub_M GHSA-mr6q-rp88-fx84
Authentication Bypass Astro
6.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

4
Patch released
Mar 31, 2026 - 21:13 nvd
Patch available
EUVD ID Assigned
Mar 24, 2026 - 19:00 euvd
EUVD-2026-14982
Analysis Generated
Mar 24, 2026 - 19:00 vuln.today
CVE Published
Mar 24, 2026 - 18:40 nvd
MEDIUM 6.5

DescriptionGitHub Advisory

Astro is a web framework. Prior to version 10.0.2, the @astrojs/vercel serverless entrypoint reads the x-astro-path header and x_astro_path query parameter to rewrite the internal request path, with no authentication whatsoever. On deployments without Edge Middleware, this lets anyone bypass Vercel's platform-level path restrictions entirely. The override preserves the original HTTP method and body, so this isn't limited to GET. POST, PUT, DELETE all land on the rewritten path. A Firewall rule blocking /admin/* does nothing when the request comes in as POST /api/health?x_astro_path=/admin/delete-user. This issue has been patched in version 10.0.2.

AnalysisAI

The @astrojs/vercel serverless adapter in Astro versions prior to 10.0.2 contains an unauthenticated path traversal vulnerability that allows attackers to bypass platform-level security restrictions by manipulating the x-astro-path header and x_astro_path query parameter. Any remote attacker without authentication can rewrite internal request paths to access restricted endpoints such as /admin/*, with the attack preserving the original HTTP method and request body, enabling POST, PUT, and DELETE operations against protected resources. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment The CVSS v3.1 score of 6.5 (Medium) reflects an unauthenticated network-based attack with low complexity, resulting in partial confidentiality and integrity impact but no availability impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker discovers an Astro application deployed on Vercel with a protected /admin/delete-user endpoint that is blocked by platform firewall rules. The attacker sends a crafted POST request to /api/health?x_astro_path=/admin/delete-user with a malicious request body containing user deletion parameters. …
Remediation Immediately upgrade the @astrojs/vercel adapter to version 10.0.2 or later by updating your package.json dependency and running npm install (or equivalent package manager command). … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 30 days: Identify affected systems and apply vendor patches as part of regular patch cycle. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-14982 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy