CVE-2021-29441

HIGH EXPLOITED IN THE WILD NUCLEI

Nacos < 1.4.1 - Authentication Bypass via User-Agent Spoofing

Title source: llm
STIX 2.1

Exploitation Summary

CVE-2021-29441 has been observed exploited in the wild (reported by VulnCheck KEV, InTheWild.io). EIP tracks 4 public exploits from researchers including azhao1981, hh-hunter. A Nuclei detection template is also available.

AI-analyzed exploit summary This Go script exploits CVE-2021-29441, an authentication bypass vulnerability in Alibaba Nacos, allowing unauthorized user creation. It checks for vulnerability presence and optionally creates a new user with specified credentials.

Description

Nacos is a platform designed for dynamic service discovery and configuration and service management. In Nacos before version 1.4.1, when configured to use authentication (-Dnacos.core.auth.enabled=true) Nacos uses the AuthFilter servlet filter to enforce authentication. This filter has a backdoor that enables Nacos servers to bypass this filter and therefore skip authentication checks. This mechanism relies on the user-agent HTTP header so it can be easily spoofed. This issue may allow any user to carry out any administrative tasks on the Nacos server.

Exploits (4)

nomisec WORKING POC
by azhao1981 · poc
https://github.com/azhao1981/CVE-2021-29441

This Go script exploits CVE-2021-29441, an authentication bypass vulnerability in Alibaba Nacos, allowing unauthorized user creation. It checks for vulnerability presence and optionally creates a new user with specified credentials.

Classification
Working Poc 90%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: Alibaba Nacos (versions affected by CVE-2021-29441)
No auth needed
Prerequisites: Network access to Nacos server · Nacos server running a vulnerable version
devstral-2 · analyzed Feb 18, 2026 Full analysis →
nomisec STUB
by hh-hunter · poc
https://github.com/hh-hunter/nacos-cve-2021-29441

The repository contains Docker Compose configurations for setting up Nacos with MySQL in both vulnerable and patched states but lacks actual exploit code or technical details about CVE-2021-29441.

Classification
Stub 90%
Attack Type
Other
Complexity
Trivial
Reliability
Theoretical
Target: Nacos Server 1.4.0
No auth needed
Prerequisites: Docker environment
devstral-2 · analyzed Feb 18, 2026 Full analysis →
vulncheck_xdb WORKING POC
remote
https://github.com/bysinks/CVE-2021-29441

This Go-based exploit demonstrates CVE-2021-29441, an authentication bypass vulnerability in Alibaba Nacos that allows unauthorized user creation. The PoC sends crafted HTTP requests to add a new user without authentication.

Classification
Working Poc 90%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: Alibaba Nacos (versions affected by CVE-2021-29441)
No auth needed
Prerequisites: Network access to Nacos server · Nacos server exposed on default or known path
devstral-2 · analyzed Feb 26, 2026 Full analysis →
inthewild WORKING POC
poc
https://github.com/bysinks/cve-2021-29441

This Go-based exploit demonstrates CVE-2021-29441, an authentication bypass vulnerability in Alibaba Nacos. It creates a new user account without proper authorization by sending crafted HTTP requests to the '/nacos/v1/auth/users' endpoint.

Classification
Working Poc 90%
Attack Type
Auth Bypass
Complexity
Trivial
Reliability
Reliable
Target: Alibaba Nacos (versions affected by CVE-2021-29441)
No auth needed
Prerequisites: network access to Nacos server · Nacos server exposed on default or known path
devstral-2 · analyzed Feb 23, 2026 Full analysis →

Nuclei Templates (1)

Nacos <1.4.1 - Authentication Bypass
CRITICALby dwisiswant0

References (3)

Core 3
Core References
Exploit, Third Party Advisory x_refsource_misc
https://github.com/alibaba/nacos/issues/4701
Exploit, Third Party Advisory x_refsource_confirm
https://github.com/advisories/GHSA-36hp-jr8h-556f
Patch, Third Party Advisory x_refsource_misc
https://github.com/alibaba/nacos/pull/4703

Scores

CVSS v3 8.6
EPSS 0.9392
EPSS Percentile 99.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N

Details

VulnCheck KEV 2023-12-01
InTheWild.io 2021-04-12
CWE
CWE-290
Status published
Products (2)
alibaba/nacos < 1.4.1
com.alibaba.nacos/nacos-common 0 - 1.4.1Maven
Published Apr 27, 2021
Tracked Since Feb 18, 2026