Skip to main content

Code100X

1 CVEs product

Monthly

CVE-2026-8890 HIGH This Week

Authentication bypass in code100x CMS Mobile API allows unauthenticated remote attackers to impersonate any enrolled user or administrator by supplying a crafted JSON payload in the 'g' HTTP header alongside an unvalidated 'Auth-Key' header. The middleware shortcuts identity verification whenever an Auth-Key is present without checking its value, letting downstream mobile course endpoints trust attacker-supplied identity claims. Publicly available exploit code exists via the upstream GitHub PR diff, though EPSS probability remains low at 0.08%.

Authentication Bypass Code100X
NVD GitHub
CVSS 4.0
8.8
EPSS
0.1%
EPSS 0% CVSS 8.8
HIGH This Week

Authentication bypass in code100x CMS Mobile API allows unauthenticated remote attackers to impersonate any enrolled user or administrator by supplying a crafted JSON payload in the 'g' HTTP header alongside an unvalidated 'Auth-Key' header. The middleware shortcuts identity verification whenever an Auth-Key is present without checking its value, letting downstream mobile course endpoints trust attacker-supplied identity claims. Publicly available exploit code exists via the upstream GitHub PR diff, though EPSS probability remains low at 0.08%.

Authentication Bypass Code100X
NVD GitHub

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy