CVE-2026-8890
HighSummary
CVE-2026-8890 describes an authentication bypass vulnerability in the Mobile API of code100x that allows unauthenticated attackers to impersonate arbitrary users by supplying a crafted JSON payload in the 'g' HTTP header. The middleware skips identity header generation when an Auth-Key header is present without validating its value, allowing attackers to inject a spoofed user identity header.
Risk Assessment
This vulnerability poses a significant risk to organizations as it allows unauthorized access to course data belonging to any enrolled user or administrator, potentially leading to sensitive information leakage.
Recommendation
It is recommended to implement validation of the Auth-Key header value and additional authorization mechanisms to prevent unauthorized access to data.
Original NVD description (English source)
code100x contains an authentication bypass vulnerability in the Mobile API that allows unauthenticated attackers to impersonate arbitrary users by supplying a crafted JSON payload in the 'g' HTTP header. The middleware in middleware.ts skips identity header generation when an Auth-Key header is present without validating its value, allowing attackers to inject a spoofed user identity header that the downstream route handler in the mobile courses endpoint accepts as trusted, granting unauthorized access to course data belonging to any enrolled user or administrator.

