CVE-2021-43116

HIGH

Nacos < 2.0.3 - Improper Authentication via Packet Manipulation

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2021-43116. PoCs published by Jenson Zhao, Immer5ion.

AI-analyzed exploit summary This script checks for the presence of CVE-2021-43116, an access control vulnerability in Nacos up to version 2.0.3. It generates a JWT token and tests if the target endpoint is vulnerable by sending a crafted request.

Description

An Access Control vulnerability exists in Nacos 2.0.3 in the access prompt page; enter username and password, click on login to capture packets and then change the returned package, which lets a malicious user login.

Exploits (2)

exploitdb SCANNER

by Jenson Zhao · pythonwebappsjava

https://www.exploit-db.com/exploits/51205

View Code ZIP pw:eip

This script checks for the presence of CVE-2021-43116, an access control vulnerability in Nacos up to version 2.0.3. It generates a JWT token and tests if the target endpoint is vulnerable by sending a crafted request.

Classification

Scanner 90%

Attack Type

Auth Bypass

Complexity

Moderate

Reliability

Reliable

Target: Nacos up to (including) 2.0.3

No auth needed

Prerequisites: Python environment with PyJWT and requests libraries · Network access to the target Nacos instance

MITRE ATT&CK

T1550.001 - Application Access Token

devstral-2 · analyzed Feb 16, 2026 Full analysis →

github SCANNER

by Immer5ion · pythonpoc

https://github.com/Immer5ion/cve_poc/tree/main/CVE-2021-43116.py

View Code ZIP pw:eip

This script checks for the presence of CVE-2021-43116, an access control vulnerability in Nacos up to version 2.0.3, by generating a JWT token and sending a request to the target URL. It does not exploit the vulnerability but scans for its presence.

Classification

Scanner 90%

Attack Type

Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: Nacos up to 2.0.3

No auth needed

Prerequisites: target URL · PyJWT and requests libraries

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1078 - Valid Accounts

devstral-2 · analyzed Feb 27, 2026 Full analysis →

References (3)

Core 3

Core References

Exploit, Issue Tracking, Third Party Advisory

https://github.com/alibaba/nacos/issues/7127

Exploit, Issue Tracking, Third Party Advisory

https://github.com/alibaba/nacos/issues/7182

Exploit, Third Party Advisory

http://packetstormsecurity.com/files/171638/Nacos-2.0.3-Access-Control.html

Scores

CVSS v3 8.8

EPSS 0.0578

EPSS Percentile 90.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Details

CWE

CWE-287

Status published

Products (2)

alibaba/nacos < 2.0.3

com.alibaba.nacos/nacos-client 0Maven

Published Jul 05, 2022

Tracked Since Feb 18, 2026