๐Ÿ” CVE Alert

CVE-2026-58488

UNKNOWN 0.0

HedgeDoc: Rate-limit bypass via CF-Connecting-IP header spoofing

CVSS Score
0.0
EPSS Score
0.0%
EPSS Percentile
0th

HedgeDoc is an open source, real-time, collaborative, markdown notes application. Versions prior to 1.11.0 allowed attackers to circumvent the rate-limiting of the /login and /register routes by spoofing IP addresses. HedgeDoc instances checked for CloudFlare's cf-connecting-ip header and used that instead of the users real IP address, if the header was present even when the request did not originate from Cloudflare. This made it possible for an attacker to spam login requests or create multiple arbitrary accounts by sending another cf-connecting-ip header every few requests. The issue has been fixed in version 1.11.0.

CWE CWE-290 CWE-770
Vendor hedgedoc
Product hedgedoc
Published Jul 13, 2026
Last Updated Jul 14, 2026
Stay Ahead of the Next One

Get instant alerts for hedgedoc hedgedoc

Be the first to know when new unknown vulnerabilities affecting hedgedoc hedgedoc are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

hedgedoc / hedgedoc
< 1.11.0

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-2f9f-w8xq-276v