Skip to main content

MiroFish EUVDEUVD-2026-25719

| CVE-2026-7042 MEDIUM
Missing Authentication for Critical Function (CWE-306)
2026-04-26 VulDB
5.5
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
5.5 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

8
CVSS changed
Apr 29, 2026 - 01:12 NVD
6.9 (MEDIUM) 5.5 (MEDIUM)
PoC Detected
Apr 29, 2026 - 01:00 vuln.today
Public exploit code
Severity Changed
Apr 26, 2026 - 22:22 NVD
HIGH MEDIUM
CVSS changed
Apr 26, 2026 - 22:22 NVD
7.3 (HIGH) 6.9 (MEDIUM)
Analysis Generated
Apr 26, 2026 - 14:00 vuln.today
EUVD ID Assigned
Apr 26, 2026 - 13:30 euvd
EUVD-2026-25719
Analysis Generated
Apr 26, 2026 - 13:30 vuln.today
CVE Published
Apr 26, 2026 - 13:00 nvd
MEDIUM 5.5

DescriptionCVE.org

A flaw has been found in 666ghj MiroFish up to 0.1.2. This affects the function create_app of the file backend/app/__init__.py of the component REST API Endpoint. Executing a manipulation can lead to missing authentication. It is possible to launch the attack remotely. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet.

AnalysisAI

Missing authentication in MiroFish REST API allows remote attackers to bypass security controls and access protected endpoints without credentials. The vulnerability affects MiroFish versions up to 0.1.2 in the create_app function within backend/app/__init__.py. A publicly available exploit demonstrates the attack (GitHub issue #487), and the vulnerability is trivially exploitable with CVSS complexity rated Low and no authentication required (CVSS:3.1/AV:N/AC:L/PR:N/UI:N). The vendor has not responded to responsible disclosure attempts, leaving users without an official patch. With CVSS 7.3 (High) and confirmed public POC, this represents an immediate risk to deployments exposing the REST API to untrusted networks.

Technical ContextAI

This vulnerability stems from CWE-306 (Missing Authentication for Critical Function) in the MiroFish REST API initialization code. The create_app function in backend/app/__init__.py fails to properly enforce authentication requirements on API endpoints, allowing unauthenticated remote callers to interact with protected resources. MiroFish appears to be a Python-based application using Flask or similar framework for its REST API (based on the create_app factory pattern common in Flask applications). The flaw likely involves missing decorators, middleware, or before_request handlers that should validate authentication tokens or session credentials before processing API requests. The CPE identifier cpe:2.3:a:666ghj:mirofish indicates this is a third-party open-source project maintained by developer 666ghj on GitHub.

RemediationAI

No vendor-released patch exists at time of analysis - the project maintainer has not responded to vulnerability disclosure via GitHub issue #487. Organizations must implement compensating controls immediately: (1) Deploy a reverse proxy (nginx, Apache, or cloud WAF) in front of MiroFish with authentication enforcement at the proxy layer using HTTP Basic Auth, OAuth2, or API keys; note this adds operational complexity for legitimate API clients who must now authenticate twice. (2) Restrict network access to the REST API endpoints using firewall rules, allowing only trusted IP ranges or internal networks; this breaks legitimate remote API access. (3) If the REST API is not required for operations, disable it entirely by modifying backend/app/__init__.py to comment out API route registration; this eliminates API functionality. (4) Monitor for unauthorized API access attempts via application logs and network intrusion detection. (5) Consider forking the project and applying authentication decorators to vulnerable endpoints, but this requires Python/Flask expertise and ongoing maintenance burden. Reference the exploit details at https://vuldb.com/vuln/359621 and https://github.com/666ghj/MiroFish/issues/487 to understand the exact attack pattern for detection signatures. Organizations should urgently evaluate alternative products given vendor unresponsiveness.

Share

EUVD-2026-25719 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy