CVE-2026-58169
HighCVSS 7.5Exploitation Probability (EPSS)
Low risk20th percentile — higher than 20% of all known CVEs
Summary
A DNS rebinding vulnerability in Vibe-Trading before 0.1.10 allows bypassing bearer-token authentication. The attacker exploits the server's trust of TCP peer addresses for loopback clients and missing Host header validation while binding to 0.0.0.0 with credentialed CORS. This leads to remote code execution and credential exfiltration.
Risk Assessment
The risk includes remote takeover of the API server, arbitrary code execution as the API process user, and leakage of sensitive credentials such as LLM and data-source settings.
Recommendation
Immediately upgrade Vibe-Trading to version 0.1.10 or later. Additionally, implement Host header validation and bind to localhost instead of 0.0.0.0.
Original NVD description (English source)
Vibe-Trading before 0.1.10 contains a DNS rebinding authentication bypass vulnerability that allows remote attackers to bypass bearer-token authentication by exploiting the server's trust of TCP peer addresses for loopback clients combined with missing Host header validation while binding to 0.0.0.0 with credentialed CORS. Attackers can craft a malicious DNS rebinding page to issue authenticated requests to the local API server, reach the shell execution endpoint with a bash-enabled preset, and achieve remote code execution as the API process user while also overwriting LLM and data-source settings to exfiltrate credentials.

