CVE-2026-8890

HIGH

code100x Mobile API Authentication Bypass via Header Spoofing

Title source: cna

Description

code100x contains an authentication bypass vulnerability in the Mobile API that allows unauthenticated attackers to impersonate arbitrary users by supplying a crafted JSON payload in the 'g' HTTP header. The middleware in middleware.ts skips identity header generation when an Auth-Key header is present without validating its value, allowing attackers to inject a spoofed user identity header that the downstream route handler in the mobile courses endpoint accepts as trusted, granting unauthorized access to course data belonging to any enrolled user or administrator.

References (5)

Core 5

Core References

Technical Description technical-description

https://github.com/code100x/cms/issues/1924

https://github.com/code100x/cms/pull/1927

https://github.com/code100x/cms/pull/1927/changes/90b489ee7c63c301107d6374d4b3f2b8e4060fe5

https://github.com/code100x/cms/pull/1927/changes/88c6c5e94e23da101235c4c7e9c7591ac1016549

Third Party Advisory third-party-advisory

https://www.vulncheck.com/advisories/code100x-mobile-api-authentication-bypass-via-header-spoofing

Scores

CVSS v3 8.2

EPSS 0.0049

EPSS Percentile 38.1%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable yes

Technical Impact partial

Details

CWE

CWE-639

Status published

Products (2)

code100x/code100x < 88c6c5e94e23da101235c4c7e9c7591ac1016549

code100x/code100x < 90b489ee7c63c301107d6374d4b3f2b8e4060fe5

Published May 26, 2026

Tracked Since May 27, 2026