API token verification can be bypassed
Description
Nodebb is an open source Node.js based forum software. In affected versions incorrect logic present in the token verification step unintentionally allowed master token access to the API. The vulnerability has been patch as of v1.18.5. Users are advised to upgrade as soon as possible.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Incorrect token verification in NodeBB before v1.18.5 allows bypass of authentication, granting master token API access.
Vulnerability
NodeBB versions before 1.18.5 contain a flaw in the token verification step that incorrectly permits master token access to the API [1][2]. The affected versions include all releases prior to the patch introduced in v1.18.5 [1].
Exploitation
An unauthenticated attacker can exploit this vulnerability remotely without any prior knowledge or credentials [1]. The attacker simply needs to send a specially crafted request that bypasses the flawed token verification logic to gain master token privileges [1].
Impact
Successful exploitation allows an attacker to completely bypass authentication for any user, effectively gaining full administrative control over the NodeBB instance [1]. This can lead to remote code execution and complete compromise of the forum server [1].
Mitigation
The vulnerability is patched in NodeBB version 1.18.5, released on 2021-10-27 [1][3]. Users should upgrade immediately [2]. No workarounds are available for unpatched versions.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
nodebbnpm | >= 1.15.0, < 1.18.5 | 1.18.5 |
Affected products
2- NodeBB/NodeBBv5Range: >= 1.15.0, < 1.18.5
Patches
11 file changed · +3 −7
src/routes/authentication.js+3 −7 modified@@ -44,13 +44,9 @@ Auth.getLoginStrategies = function () { }; Auth.verifyToken = async function (token, done) { - let { tokens = [] } = await meta.settings.get('core.api'); - tokens = tokens.reduce((memo, cur) => { - memo[cur.token] = cur.uid; - return memo; - }, {}); - - const uid = tokens[token]; + const { tokens = [] } = await meta.settings.get('core.api'); + const tokenObj = tokens.find(t => t.token === token); + const uid = tokenObj ? tokenObj.uid : undefined; if (uid !== undefined) { if (parseInt(uid, 10) > 0) {
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-hf2m-j98r-4fqwghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-43786ghsaADVISORY
- blog.sonarsource.com/nodebb-remote-code-execution-with-one-shotghsaWEB
- blog.sonarsource.com/nodebb-remote-code-execution-with-one-shot/mitrex_refsource_MISC
- github.com/NodeBB/NodeBB/commit/04dab1d550cdebf4c1567bca9a51f8b9ca48a500ghsax_refsource_MISCWEB
- github.com/NodeBB/NodeBB/releases/tag/v1.18.5ghsax_refsource_MISCWEB
- github.com/NodeBB/NodeBB/security/advisories/GHSA-hf2m-j98r-4fqwghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.