CVE-2026-8890HIGH 8.2EPSS p38.2%

CVE-2026-8890CVE-2026-8890

Description

code100x contains an authentication bypass vulnerability in the Mobile API that allows unauthenticated attackers to impersonate arbitrary users by supplying a crafted JSON payload in the 'g' HTTP header. The middleware in middleware.ts skips identity header generation when an Auth-Key header is present without validating its value, allowing attackers to inject a spoofed user identity header that the downstream route handler in the mobile courses endpoint accepts as trusted, granting unauthorized access to course data belonging to any enrolled user or administrator.

Scoring

CVSS 3.18.2 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
EPSS0.49% probability of exploitation · percentile 38.2% · 2026-06-18T12:00:27Z
Published2026-05-26
Last modified2026-05-26

Underlying weaknesses· 1

CWE-639

References

  1. https://github.com/code100x/cms/issues/1924
  2. https://github.com/code100x/cms/pull/1927
  3. https://github.com/code100x/cms/pull/1927/changes/88c6c5e94e23da101235c4c7e9c7591ac1016549
  4. https://github.com/code100x/cms/pull/1927/changes/90b489ee7c63c301107d6374d4b3f2b8e4060fe5
  5. https://www.vulncheck.com/advisories/code100x-mobile-api-authentication-bypass-via-header-spoofing
  6. https://github.com/code100x/cms/issues/1924
  7. https://github.com/code100x/cms/pull/1927

1

TypeTargetConfidenceTier
WeaknessAuthorization Bypass Through User-Controlled Keycwe-6390%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-42280
CVE
CVE-2025-67298
CVE
CVE-2025-68860
CVE
CVE-2026-23899
CVE
CVE-2026-10731
CVE
CVE-2026-25197
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.