Authentication bypass
Description
Nacos is a platform designed for dynamic service discovery and configuration and service management. In Nacos before version 1.4.1, when configured to use authentication (-Dnacos.core.auth.enabled=true) Nacos uses the AuthFilter servlet filter to enforce authentication. This filter has a backdoor that enables Nacos servers to bypass this filter and therefore skip authentication checks. This mechanism relies on the user-agent HTTP header so it can be easily spoofed. This issue may allow any user to carry out any administrative tasks on the Nacos server.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.alibaba.nacos:nacos-commonMaven | < 1.4.1 | 1.4.1 |
Affected products
2- alibaba/nacosv5Range: < 1.4.1
Patches
Vulnerability mechanics
Root cause
"Missing input validation in URL path handling allows a trailing-slash bypass of the authentication filter."
Attack vector
An attacker sends an HTTP request to any Nacos administrative endpoint with a trailing slash appended to the path (e.g., `POST /nacos/v1/auth/users/?username=test&password=test`). The `ControllerMethodsCache.getMethod()` method constructs a URL key from the path; because no registered mapping ends with `/`, the lookup returns `null`. The `AuthFilter` then treats the request as having no matching method and calls `chain.doFilter()`, completely bypassing authentication. This allows unauthenticated attackers to call any administrative API, including user creation and data access. The attack requires only network access to the Nacos server and does not need any valid credentials. [CWE-290] [ref_id=1]
Affected code
The vulnerability resides in `com.alibaba.nacos.core.auth.AuthFilter#doFilter` and `com.alibaba.nacos.core.code.ControllerMethodsCache#getMethod`. When the server-identity key-value authentication is enabled, the filter fails to reject requests that do not match the expected identity header; instead it falls through to a `method == null` check. By appending a trailing slash to the URL path (e.g., `/nacos/v1/auth/users/`), the `getMethod` lookup returns `null` because no `@RequestMapping` ends with a slash, causing the filter to skip all subsequent authentication logic and pass the request through.
What the fix does
The patch addresses the bypass in two ways. First, in `ControllerMethodsCache`, the `getPath()` method now throws a `NacosRuntimeException` on invalid URIs instead of returning `null`, and the `getMethod()` method no longer returns `null` when the path is `null`. Additionally, when registering URL mappings, a backup key with a trailing slash (`urlKey + "/"`) is stored so that requests with a trailing slash still find the correct handler. Second, in `AuthFilter`, when `method == null` the filter now sends an HTTP 404 error instead of blindly calling `chain.doFilter()`, ensuring that unmatched paths are rejected rather than passed through without authentication. [patch_id=6635520]
Preconditions
- configNacos authentication must be enabled (`nacos.core.auth.enabled=true`).
- configThe server-identity key-value authentication must be active (`nacos.core.auth.enable.userAgentAuthWhite=false` and both `nacos.core.auth.server.identity.key` and `nacos.core.auth.server.identity.value` must be set).
- networkThe attacker must have network access to the Nacos HTTP API (default port 8848).
Reproduction
```bash # List users (bypass authentication) curl -X GET 'http://127.0.0.1:8848/nacos/v1/auth/users/?pageNo=1&pageSize=9' --path-as-is
# Create a new user (bypass authentication) curl -X POST 'http://127.0.0.1:8848/nacos/v1/auth/users/?username=test&password=test' --path-as-is ``` These steps are taken directly from the researcher's proof-of-concept in [ref_id=1].
Generated on Jun 20, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-36hp-jr8h-556fghsax_refsource_CONFIRMADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-29441ghsaADVISORY
- github.com/alibaba/nacos/issues/4701ghsax_refsource_MISCWEB
- github.com/alibaba/nacos/pull/4703ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.