CVE-2026-8890
code100x Mobile API Authentication Bypass via Header Spoofing
CVSS Score
8.2
EPSS Score
0.0%
EPSS Percentile
0th
code100x contains an authentication bypass vulnerability in the Mobile API that allows unauthenticated attackers to impersonate arbitrary users by supplying a crafted JSON payload in the 'g' HTTP header. The middleware in middleware.ts skips identity header generation when an Auth-Key header is present without validating its value, allowing attackers to inject a spoofed user identity header that the downstream route handler in the mobile courses endpoint accepts as trusted, granting unauthorized access to course data belonging to any enrolled user or administrator.
| CWE | CWE-639 |
| Vendor | code100x |
| Product | code100x |
| Published | May 26, 2026 |
| Last Updated | May 26, 2026 |
Stay Ahead of the Next One
Get instant alerts for code100x code100x
Be the first to know when new high vulnerabilities affecting code100x code100x are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
None
Affected Versions
code100x / code100x
0 < 90b489ee7c63c301107d6374d4b3f2b8e4060fe5 0 < 88c6c5e94e23da101235c4c7e9c7591ac1016549
References
github.com: https://github.com/code100x/cms/issues/1924 github.com: https://github.com/code100x/cms/pull/1927 github.com: https://github.com/code100x/cms/pull/1927/changes/90b489ee7c63c301107d6374d4b3f2b8e4060fe5 github.com: https://github.com/code100x/cms/pull/1927/changes/88c6c5e94e23da101235c4c7e9c7591ac1016549 vulncheck.com: https://www.vulncheck.com/advisories/code100x-mobile-api-authentication-bypass-via-header-spoofing
Credits
Shravan Manne VulnCheck