CVE Catalog

CVE-2026-8890

High
Published: Translated: NVD NIST

Summary

CVE-2026-8890 describes an authentication bypass vulnerability in the Mobile API of code100x that allows unauthenticated attackers to impersonate arbitrary users by supplying a crafted JSON payload in the 'g' HTTP header. The middleware skips identity header generation when an Auth-Key header is present without validating its value, allowing attackers to inject a spoofed user identity header.

Risk Assessment

This vulnerability poses a significant risk to organizations as it allows unauthorized access to course data belonging to any enrolled user or administrator, potentially leading to sensitive information leakage.

Recommendation

It is recommended to implement validation of the Auth-Key header value and additional authorization mechanisms to prevent unauthorized access to data.

Original NVD description (English source)

code100x contains an authentication bypass vulnerability in the Mobile API that allows unauthenticated attackers to impersonate arbitrary users by supplying a crafted JSON payload in the 'g' HTTP header. The middleware in middleware.ts skips identity header generation when an Auth-Key header is present without validating its value, allowing attackers to inject a spoofed user identity header that the downstream route handler in the mobile courses endpoint accepts as trusted, granting unauthorized access to course data belonging to any enrolled user or administrator.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS