Medium severityGHSA Advisory· Published May 29, 2026· Updated Jun 1, 2026
CVE-2026-45577
CVE-2026-45577
Description
Neotoma provides versioned records that persist across agent runs. From 0.6.0 to before 0.11.1, Neotoma can treat public reverse-proxied requests as local when the app receives them over a loopback socket and no Bearer token is present. In affected deployments, the REST auth middleware can resolve unauthenticated requests as the local development user, making the hosted Inspector and related API surface reachable without credentials. This vulnerability is fixed in 0.11.1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
neotomanpm | >= 0.6.0, < 0.11.1 | 0.11.1 |
Affected products
1- Range: >= 0.6.0, < 0.11.1
Patches
Vulnerability mechanics
References
4News mentions
0No linked articles in our index yet.