VYPR
← All advisories
High severity8.2NVD Advisory· Published May 26, 2026· Updated May 26, 2026

CVE-2026-8890

CVE-2026-8890

Description

code100x contains an authentication bypass vulnerability in the Mobile API that allows unauthenticated attackers to impersonate arbitrary users by supplying a crafted JSON payload in the 'g' HTTP header. The middleware in middleware.ts skips identity header generation when an Auth-Key header is present without validating its value, allowing attackers to inject a spoofed user identity header that the downstream route handler in the mobile courses endpoint accepts as trusted, granting unauthorized access to course data belonging to any enrolled user or administrator.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Authentication bypass in code100x Mobile API allows unauthenticated attackers to impersonate users by spoofing the 'g' header.

Vulnerability

In code100x CMS, the Mobile API endpoint /api/mobile/courses/[courseId] is protected by a middleware in middleware.ts that incorrectly skips user identity header generation when an Auth-Key header is present, regardless of its value [1]. The downstream route handler in route.ts trusts the g header as the user identity, allowing an attacker to inject a spoofed g payload [2]. Affected versions include all releases prior to the fix in pull request #1927 [2].

Exploitation

An unauthenticated attacker with network access can send a crafted HTTP request with any Auth-Key value and a spoofed g header containing a JSON object with a target user ID [2]. The middleware passes the request without generating a legitimate g header, and the endpoint parses the attacker-supplied g header to check course access [1]. For example, curl -H "Auth-Key: validkey" -H 'g: {"id": "admin-id"}' https://site.com/api/mobile/courses/123 [2].

Impact

Successful exploitation allows the attacker to impersonate any enrolled user or administrator and access their course data, leading to unauthorized information disclosure [3]. The attacker gains read access to course content that should be restricted [1].

Mitigation

The vulnerability is fixed in pull request #1927 by validating the Auth-Key value against an environment variable and stripping any client-supplied g header before forwarding the request [2]. Users should update to the patched version immediately. No workaround is available other than applying the patch [2].

References
  1. bug: Mobile API - Pre -Authentication User ID Validation Bypass
  2. fix: prevent user ID spoofing by stripping client-supplied 'g' header in withMobileAuth by MehranKhn · Pull Request #1927 · code100x/cms
  3. code100x Mobile API Authentication Bypass via Header Spoofing

AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Code100x/Cmsreferences2 versions
    (expand)+ 1 more
    • (no CPE)
    • (no CPE)

Patches

1
0c9486b23cb3

Merge 88c6c5e94e23da101235c4c7e9c7591ac1016549 into 9f3c8f426cdaf22948f9f8e16e32f24fb7c9d059

https://github.com/code100x/cmsMehranMay 22, 2026via nvd-ref
commitPR #1927
3 files changed · +18 3
  • pnpm-workspace.yaml+6 0 added
    @@ -0,0 +1,6 @@
+allowBuilds:
+  '@prisma/client': true
+  '@prisma/engines': true
+  bcrypt: true
+  esbuild: true
+  prisma: true
  • src/components/CourseView.tsx+1 1 modified
    @@ -40,7 +40,7 @@ export const CourseView = ({
 
   return (
     <div className="relative flex w-full flex-col gap-8 pb-16 pt-8 xl:pt-[9px]">
-      <div className="sticky top-[73px] z-10 flex flex-col gap-4 bg-background py-2 xl:pt-2">
+      <div className="sticky top-[73px] z-20 flex flex-col gap-4 bg-background py-2 xl:pt-2">
         <BreadCrumbComponent
           course={course}
           contentType={contentType}
  • src/middleware.ts+11 2 modified
    @@ -29,8 +29,17 @@ export const verifyJWT = async (token: string): Promise<JWTPayload | null> => {
 };
 
 export const withMobileAuth = async (req: RequestWithUser) => {
-  if (req.headers.get('Auth-Key')) {
-    return NextResponse.next();
+
+  const authKey=req.headers.get('Auth-Key');
+   
+  if (authKey && authKey===process.env.APPX_AUTH_KEY) {
+      const newHeaders = new Headers(req.headers);
+      newHeaders.delete('g');
+      return NextResponse.next({
+      request: {
+        headers: newHeaders,
+      },
+    });
   }
   const token = req.headers.get('Authorization');

Vulnerability mechanics

Root cause

"Missing validation of the Auth-Key header value and failure to strip client-supplied g headers in the middleware allows unauthenticated user ID spoofing."

Attack vector

An unauthenticated attacker sends a crafted HTTP request to the mobile courses API endpoint. The request includes an `Auth-Key` header (any value passes the middleware check) and a spoofed `g` header containing a JSON payload with an arbitrary user ID, such as `{"id": "some-admin-id"}` [ref_id=2]. The middleware skips identity-header generation because `Auth-Key` is present, and the downstream route handler blindly parses the attacker-supplied `g` header as the authenticated user identity [CWE-287]. The database access subroutine then treats this spoofed identity as trusted, granting access to course data belonging to any enrolled user or administrator [ref_id=1].

Affected code

The vulnerability spans two files. In `/src/middleware.ts`, the `withMobileAuth` function checks only for the *presence* of the `Auth-Key` header, not its value, and returns `NextResponse.next()` without stripping any client-supplied headers [ref_id=1][ref_id=2]. In `/src/app/api/mobile/courses/[courseId]/route.ts`, the `GET` handler reads the user identity from the `g` header via `JSON.parse(request.headers.get('g') || '')` and trusts it without verifying whether the middleware actually generated it [ref_id=1].

What the fix does

The patch in pull request #1927 [patch_id=2568243] makes two changes to `withMobileAuth` in `/src/middleware.ts`. First, it validates the `Auth-Key` header value against the server-side secret `process.env.APPX_AUTH_KEY` instead of only checking for its existence [ref_id=2]. Second, it deletes any client-supplied `g` header from the request headers before forwarding the request via `newHeaders.delete('g')` [ref_id=2]. This ensures the `g` header is always either absent or set by the server (via the JWT path which overwrites it with a signed payload), never trusted from the client [ref_id=2].

Preconditions

  • networkThe attacker must be able to send HTTP requests to the mobile API endpoint
  • authNo authentication or prior access is required — the attack is unauthenticated
  • inputThe attacker supplies an arbitrary Auth-Key header (any value) and a crafted g header with a target user ID

Reproduction

The reference write-up at [ref_id=2] provides the following reproduction command:

``` curl -H "Auth-Key: validkey" \ -H 'g: {"id": "some-admin-id"}' \ https://site.com/api/mobile/courses/123 ```

The attacker sends any value for `Auth-Key` (the middleware does not validate it) and a spoofed `g` header containing a JSON object with the target user's ID. The server returns course data for that user instead of returning a 403 Forbidden response [ref_id=1][ref_id=2].

Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

0

No linked articles in our index yet.