CWE-290
AllowedAuthentication Bypass by Spoofing
Abstraction: Base · Status: Incomplete
This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.
927 vulnerabilities reference this CWE, most recent first.
GHSA-5HRC-F88X-6WM7
Vulnerability from github – Published: 2023-09-25 18:30 – Updated: 2024-04-04 07:50The DoLogin Security WordPress plugin before 3.7 uses headers such as the X-Forwarded-For to retrieve the IP address of the request, which could lead to IP spoofing.
{
"affected": [],
"aliases": [
"CVE-2023-4631"
],
"database_specific": {
"cwe_ids": [
"CWE-290"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2023-09-25T16:15:15Z",
"severity": "MODERATE"
},
"details": "The DoLogin Security WordPress plugin before 3.7 uses headers such as the X-Forwarded-For to retrieve the IP address of the request, which could lead to IP spoofing.",
"id": "GHSA-5hrc-f88x-6wm7",
"modified": "2024-04-04T07:50:42Z",
"published": "2023-09-25T18:30:51Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2023-4631"
},
{
"type": "WEB",
"url": "https://wpscan.com/vulnerability/28613fc7-1400-4553-bcc3-24df1cee418e"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-5HVV-M4W4-GF6V
Vulnerability from github – Published: 2026-04-14 22:31 – Updated: 2026-04-15 21:06Impact
A configuration-dependent authentication bypass exists in OAuth2 Proxy.
Deployments are affected when all of the following are true:
- OAuth2 Proxy is used with an
auth_request-style integration (for example, nginxauth_request) --ping-user-agentis set or--gcp-healthchecksis enabled
In affected configurations, OAuth2 Proxy will treat a request with the configured health check User-Agent value as a successful health check regardless of the requested path. This allows an unauthenticated remote attacker to bypass authentication and access protected upstream resources without completing the normal login flow.
This issue does not affect deployments that do not use auth_request-style subrequests, or that do not enable --ping-user-agent/--gcp-healthchecks.
Patches
Users should upgrade to v7.15.2 or later once available. Deployments running versions prior to v7.15.2 should be considered affected if they use auth_request-style authentication together with --ping-user-agent or --gcp-healthchecks.
Workarounds
Users can mitigate this issue by:
- disabling
--gcp-healthchecks - removing any configured
--ping-user-agent - ensuring the reverse proxy does not forward client-controlled
User-Agentheaders to the OAuth2 Proxy auth subrequest - using path-based health checks only, on dedicated health check endpoints
Example nginx mitigation for the auth subrequest:
location = /oauth2/auth {
internal;
proxy_pass http://127.0.0.1:4180;
proxy_pass_request_body off;
proxy_set_header Content-Length "";
proxy_set_header Host $host;
# set to value that isn't the same as your configured PingUserAgent or GCPs "GoogleHC/1.0"
proxy_set_header User-Agent "oauth2-proxy-auth-request";
}
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/oauth2-proxy/oauth2-proxy/v7"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "7.15.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/oauth2-proxy/oauth2-proxy"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "3.2.0"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-34457"
],
"database_specific": {
"cwe_ids": [
"CWE-290"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-14T22:31:19Z",
"nvd_published_at": "2026-04-14T23:16:28Z",
"severity": "CRITICAL"
},
"details": "### Impact\nA configuration-dependent authentication bypass exists in OAuth2 Proxy.\n\nDeployments are affected when all of the following are true:\n\n- OAuth2 Proxy is used with an `auth_request`-style integration (for example, nginx `auth_request`)\n- `--ping-user-agent` is set or `--gcp-healthchecks` is enabled\n\nIn affected configurations, OAuth2 Proxy will treat a request with the configured health check `User-Agent` value as a successful health check regardless of the requested path. This allows an unauthenticated remote attacker to bypass authentication and access protected upstream resources without completing the normal login flow.\n\nThis issue does not affect deployments that do not use `auth_request`-style subrequests, or that do not enable `--ping-user-agent`/`--gcp-healthchecks`.\n\n### Patches\nUsers should upgrade to `v7.15.2` or later once available. Deployments running versions prior to `v7.15.2` should be considered affected if they use `auth_request`-style authentication together with `--ping-user-agent` or `--gcp-healthchecks`.\n\n### Workarounds\nUsers can mitigate this issue by:\n\n- disabling `--gcp-healthchecks`\n- removing any configured `--ping-user-agent`\n- ensuring the reverse proxy does not forward client-controlled `User-Agent` headers to the OAuth2 Proxy auth subrequest\n- using path-based health checks only, on dedicated health check endpoints\n\nExample nginx mitigation for the auth subrequest:\n\n```nginx\nlocation = /oauth2/auth {\n internal;\n proxy_pass http://127.0.0.1:4180;\n proxy_pass_request_body off;\n proxy_set_header Content-Length \"\";\n proxy_set_header Host $host;\n # set to value that isn\u0027t the same as your configured PingUserAgent or GCPs \"GoogleHC/1.0\"\n proxy_set_header User-Agent \"oauth2-proxy-auth-request\";\n}\n```",
"id": "GHSA-5hvv-m4w4-gf6v",
"modified": "2026-04-15T21:06:37Z",
"published": "2026-04-14T22:31:19Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/oauth2-proxy/oauth2-proxy/security/advisories/GHSA-5hvv-m4w4-gf6v"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-34457"
},
{
"type": "PACKAGE",
"url": "https://github.com/oauth2-proxy/oauth2-proxy"
},
{
"type": "WEB",
"url": "https://github.com/oauth2-proxy/oauth2-proxy/releases/tag/v7.15.2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
}
],
"summary": " OAuth2 Proxy\u0027s Health Check User-Agent Matching Bypasses Authentication in auth_request Mode"
}
GHSA-5JX5-HQX5-2VRJ
Vulnerability from github – Published: 2024-04-08 21:31 – Updated: 2025-03-27 17:42Ollama before 0.1.29 has a DNS rebinding vulnerability that can inadvertently allow remote access to the full API, thereby letting an unauthorized user chat with a large language model, delete a model, or cause a denial of service (resource exhaustion).
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/ollama/ollama"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.1.29"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2024-28224"
],
"database_specific": {
"cwe_ids": [
"CWE-290",
"CWE-346",
"CWE-350"
],
"github_reviewed": true,
"github_reviewed_at": "2024-04-08T22:20:11Z",
"nvd_published_at": "2024-04-08T19:15:07Z",
"severity": "HIGH"
},
"details": "Ollama before 0.1.29 has a DNS rebinding vulnerability that can inadvertently allow remote access to the full API, thereby letting an unauthorized user chat with a large language model, delete a model, or cause a denial of service (resource exhaustion).",
"id": "GHSA-5jx5-hqx5-2vrj",
"modified": "2025-03-27T17:42:19Z",
"published": "2024-04-08T21:31:16Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2024-28224"
},
{
"type": "PACKAGE",
"url": "https://github.com/ollama/ollama"
},
{
"type": "WEB",
"url": "https://github.com/ollama/ollama/releases"
},
{
"type": "WEB",
"url": "https://pkg.go.dev/vuln/GO-2024-2699"
},
{
"type": "WEB",
"url": "https://research.nccgroup.com/2024/04/08/technical-advisory-ollama-dns-rebinding-attack-cve-2024-28224"
},
{
"type": "WEB",
"url": "https://www.nccgroup.trust/us/our-research/?research=Technical+advisories"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Ollama DNS rebinding vulnerability"
}
GHSA-5M6W-WVH7-57VM
Vulnerability from github – Published: 2026-04-24 16:32 – Updated: 2026-05-06 21:24Summary
There is a high severity authentication bypass vulnerability in Traefik's ForwardAuth and snippet-based authentication middleware. Traefik's forwarded-header sanitization logic targets only canonical header names (e.g., X-Forwarded-Proto) and does not strip or normalize alias variants that use underscores instead of dashes (e.g., X_Forwarded_Proto). These unsanitized alias headers are forwarded intact to the authentication backend. When the backend normalizes underscore and dash header forms equivalently, an attacker can inject spoofed trust context — such as a trusted scheme or host — through the alias headers and bypass authentication on protected routes without valid credentials.
Patches
- https://github.com/traefik/traefik/releases/tag/v2.11.43
- https://github.com/traefik/traefik/releases/tag/v3.6.14
- https://github.com/traefik/traefik/releases/tag/v3.7.0-rc.2
For more information
If there are any questions or comments about this advisory, please open an issue.
Original Description ### Summary An authentication bypass arises from chaining two bugs: incomplete forwarded-header sanitization at ingress and overly permissive header forwarding in pre-auth subrequests. While canonical `X-Forwarded-*` headers are handled, alias variants (e.g., underscore forms) are neither normalized nor stripped consistently. When downstream auth services normalize these headers, attackers can inject trusted context and bypass authentication on protected routes without credentials. ### Details This issue results from the interaction between forwarded-header handling and auth subrequest construction, creating a trust boundary mismatch. At ingress, Traefik defines a fixed set of canonical forwarded headers (`X-Forwarded-Proto`, `X-Forwarded-For`, etc.): Reference : [`pkg/middlewares/forwardedheaders/forwarded_header.go#L29-L36`](https://github.com/traefik/traefik/blob/174e5d81111d8e9fb3d3c81cf6d22f3e33eb4f78/pkg/middlewares/forwardedheaders/forwarded_header.go#L29-L36)var xHeaders = []string{
xForwardedProto,
xForwardedFor,
xForwardedHost,
xForwardedPort,
This logic focuses exclusively on canonical header names and does not account for alias forms such as `X_Forwarded_Proto`. As a result, while standard headers may be sanitized or rewritten, semantically equivalent variants can pass through unchanged.
During ForwardAuth processing, request headers are copied wholesale into the auth subrequest:
Reference : [`pkg/middlewares/auth/forward.go#L401-L408`](https://github.com/traefik/traefik/blob/174e5d81111d8e9fb3d3c81cf6d22f3e33eb4f78/pkg/middlewares/auth/forward.go#L401-L408)
utils.CopyHeaders(forwardReq.Header, req.Header)
RemoveConnectionHeaders(forwardReq)
utils.RemoveHeaders(forwardReq.Header, hopHeaders...)
This implementation forwards nearly all client-supplied headers to the auth backend, with filtering limited to hop-by-hop headers. There is no normalization or deduplication between canonical and alias header forms, meaning attacker-controlled headers can reach the auth service intact.
A similar pattern exists in snippet-based auth:
Reference : [`pkg/middlewares/ingressnginx/snippet/snippet.go#L574-L581`](https://github.com/traefik/traefik/blob/174e5d81111d8e9fb3d3c81cf6d22f3e33eb4f78/pkg/middlewares/ingressnginx/snippet/snippet.go#L574-L581)
utils.CopyHeaders(forwardReq.Header, req.Header)
RemoveConnectionHeaders(forwardReq)
utils.RemoveHeaders(forwardReq.Header, hopHeaders...)
Again, headers are forwarded without enforcing a consistent trust model or canonicalization.
The vulnerability emerges when the auth backend normalizes header names (e.g., treating `X_Forwarded_Proto` and `X-Forwarded-Proto` equivalently). In that case:
- Traefik sanitizes only canonical headers.
- Alias headers remain attacker-controlled.
- The auth service merges or evaluates these aliases during normalization.
- Trust predicates (e.g., scheme = HTTPS, trusted host) are satisfied using spoofed values.
This allows a single crafted request to simultaneously bypass ingress trust enforcement and satisfy authentication checks, resulting in unauthorized access to protected backends.
### PoC
1. Configure a protected route using ForwardAuth or snippet-based auth, with an auth backend that normalizes header names (underscore ↔ dash).
2. Send a control request (expected: denied):
GET / HTTP/1.1
Host: target.local
User-Agent: poc-control
Connection: close
3. Send an exploit request with alias headers (expected: allowed):
GET /protected HTTP/1.1
Host: app.example.local
X_Forwarded_Proto: https
X_Forwarded_Host: trusted.example
Connection: close
### Impact
This vulnerability allows unauthenticated attackers to bypass authentication at the proxy-to-auth boundary by injecting spoofed trust context through header aliases. In deployments where authorization decisions depend on forwarded headers, attackers can access protected endpoints and interact with backend services as if they were fully authenticated. This effectively undermines ForwardAuth and similar mechanisms, potentially exposing sensitive internal functionality and data.
### Suggested Remediation
1. Strip and regenerate both canonical and alias forms of forwarded headers consistently at ingress and during auth subrequests.
2. Apply a unified normalization policy across all forwarded header families (including RFC7239 and `X-Forwarded-*`).
3. Restrict which headers are forwarded to auth services (prefer explicit allowlists).
4. Add regression tests covering alias normalization inconsistencies across common backend frameworks.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/traefik/traefik/v3"
},
"ranges": [
{
"events": [
{
"introduced": "3.7.0-ea.1"
},
{
"fixed": "3.7.0-rc.2"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/traefik/traefik/v3"
},
"ranges": [
{
"events": [
{
"introduced": "3.0.0-beta1"
},
{
"fixed": "3.6.14"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/traefik/traefik/v2"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.11.43"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/traefik/traefik"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"last_affected": "1.7.34"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-39858"
],
"database_specific": {
"cwe_ids": [
"CWE-290",
"CWE-306"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-24T16:32:34Z",
"nvd_published_at": "2026-04-30T21:16:32Z",
"severity": "HIGH"
},
"details": "## Summary\n\nThere is a high severity authentication bypass vulnerability in Traefik\u0027s `ForwardAuth` and snippet-based authentication middleware. Traefik\u0027s forwarded-header sanitization logic targets only canonical header names (e.g., `X-Forwarded-Proto`) and does not strip or normalize alias variants that use underscores instead of dashes (e.g., `X_Forwarded_Proto`). These unsanitized alias headers are forwarded intact to the authentication backend. When the backend normalizes underscore and dash header forms equivalently, an attacker can inject spoofed trust context \u2014 such as a trusted scheme or host \u2014 through the alias headers and bypass authentication on protected routes without valid credentials.\n\n## Patches\n\n- https://github.com/traefik/traefik/releases/tag/v2.11.43\n- https://github.com/traefik/traefik/releases/tag/v3.6.14\n- https://github.com/traefik/traefik/releases/tag/v3.7.0-rc.2\n\n## For more information\n\nIf there are any questions or comments about this advisory, please [open an issue](https://github.com/traefik/traefik/issues).\n\n\u003cdetails\u003e\n\u003csummary\u003eOriginal Description\u003c/summary\u003e\n\n### Summary\nAn authentication bypass arises from chaining two bugs: incomplete forwarded-header sanitization at ingress and overly permissive header forwarding in pre-auth subrequests. While canonical `X-Forwarded-*` headers are handled, alias variants (e.g., underscore forms) are neither normalized nor stripped consistently. When downstream auth services normalize these headers, attackers can inject trusted context and bypass authentication on protected routes without credentials.\n\n### Details\nThis issue results from the interaction between forwarded-header handling and auth subrequest construction, creating a trust boundary mismatch.\n\nAt ingress, Traefik defines a fixed set of canonical forwarded headers (`X-Forwarded-Proto`, `X-Forwarded-For`, etc.):\n\nReference : [`pkg/middlewares/forwardedheaders/forwarded_header.go#L29-L36`](https://github.com/traefik/traefik/blob/174e5d81111d8e9fb3d3c81cf6d22f3e33eb4f78/pkg/middlewares/forwardedheaders/forwarded_header.go#L29-L36)\n\n```go\nvar xHeaders = []string{\n\txForwardedProto,\n\txForwardedFor,\n\txForwardedHost,\n\txForwardedPort,\n```\n\nThis logic focuses exclusively on canonical header names and does not account for alias forms such as `X_Forwarded_Proto`. As a result, while standard headers may be sanitized or rewritten, semantically equivalent variants can pass through unchanged.\n\nDuring ForwardAuth processing, request headers are copied wholesale into the auth subrequest:\n\nReference : [`pkg/middlewares/auth/forward.go#L401-L408`](https://github.com/traefik/traefik/blob/174e5d81111d8e9fb3d3c81cf6d22f3e33eb4f78/pkg/middlewares/auth/forward.go#L401-L408)\n\n```go\nutils.CopyHeaders(forwardReq.Header, req.Header)\nRemoveConnectionHeaders(forwardReq)\nutils.RemoveHeaders(forwardReq.Header, hopHeaders...)\n```\n\nThis implementation forwards nearly all client-supplied headers to the auth backend, with filtering limited to hop-by-hop headers. There is no normalization or deduplication between canonical and alias header forms, meaning attacker-controlled headers can reach the auth service intact.\n\nA similar pattern exists in snippet-based auth:\n\nReference : [`pkg/middlewares/ingressnginx/snippet/snippet.go#L574-L581`](https://github.com/traefik/traefik/blob/174e5d81111d8e9fb3d3c81cf6d22f3e33eb4f78/pkg/middlewares/ingressnginx/snippet/snippet.go#L574-L581)\n\n```go\nutils.CopyHeaders(forwardReq.Header, req.Header)\nRemoveConnectionHeaders(forwardReq)\nutils.RemoveHeaders(forwardReq.Header, hopHeaders...)\n```\n\nAgain, headers are forwarded without enforcing a consistent trust model or canonicalization.\n\nThe vulnerability emerges when the auth backend normalizes header names (e.g., treating `X_Forwarded_Proto` and `X-Forwarded-Proto` equivalently). In that case:\n\n- Traefik sanitizes only canonical headers.\n- Alias headers remain attacker-controlled.\n- The auth service merges or evaluates these aliases during normalization.\n- Trust predicates (e.g., scheme = HTTPS, trusted host) are satisfied using spoofed values.\n\nThis allows a single crafted request to simultaneously bypass ingress trust enforcement and satisfy authentication checks, resulting in unauthorized access to protected backends.\n\n### PoC\n\n1. Configure a protected route using ForwardAuth or snippet-based auth, with an auth backend that normalizes header names (underscore \u2194 dash).\n2. Send a control request (expected: denied):\n\n```http\nGET / HTTP/1.1\nHost: target.local\nUser-Agent: poc-control\nConnection: close\n```\n\n3. Send an exploit request with alias headers (expected: allowed):\n\n```http\nGET /protected HTTP/1.1\nHost: app.example.local\nX_Forwarded_Proto: https\nX_Forwarded_Host: trusted.example\nConnection: close\n```\n\n### Impact\nThis vulnerability allows unauthenticated attackers to bypass authentication at the proxy-to-auth boundary by injecting spoofed trust context through header aliases. In deployments where authorization decisions depend on forwarded headers, attackers can access protected endpoints and interact with backend services as if they were fully authenticated. This effectively undermines ForwardAuth and similar mechanisms, potentially exposing sensitive internal functionality and data.\n\n### Suggested Remediation\n1. Strip and regenerate both canonical and alias forms of forwarded headers consistently at ingress and during auth subrequests.\n2. Apply a unified normalization policy across all forwarded header families (including RFC7239 and `X-Forwarded-*`).\n3. Restrict which headers are forwarded to auth services (prefer explicit allowlists).\n4. Add regression tests covering alias normalization inconsistencies across common backend frameworks.\n\n\u003c/details\u003e\n\n---",
"id": "GHSA-5m6w-wvh7-57vm",
"modified": "2026-05-06T21:24:39Z",
"published": "2026-04-24T16:32:34Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/traefik/traefik/security/advisories/GHSA-5m6w-wvh7-57vm"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39858"
},
{
"type": "PACKAGE",
"url": "https://github.com/traefik/traefik"
},
{
"type": "WEB",
"url": "https://github.com/traefik/traefik/releases/tag/v2.11.43"
},
{
"type": "WEB",
"url": "https://github.com/traefik/traefik/releases/tag/v3.6.14"
},
{
"type": "WEB",
"url": "https://github.com/traefik/traefik/releases/tag/v3.7.0-rc.2"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:H/SI:H/SA:N",
"type": "CVSS_V4"
}
],
"summary": "Traefik: Pre-authentication decision bypass due to forwarded alias spoofing"
}
GHSA-5MWJ-V5JW-5C97
Vulnerability from github – Published: 2026-04-08 15:04 – Updated: 2026-04-09 14:28Summary
The webapi authentication layer trusts a client-controlled X-lobe-chat-auth header that is only XOR-obfuscated, not signed or otherwise authenticated. Because the XOR key is hardcoded in the repository, an attacker can forge arbitrary auth payloads and bypass authentication on protected webapi routes.
Affected routes include:
- POST /webapi/chat/[provider]
- GET /webapi/models/[provider]
- POST /webapi/models/[provider]/pull
- POST /webapi/create-image/comfyui
Details
The frontend creates X-lobe-chat-auth by XOR-obfuscating JSON with the static key LobeHub · LobeHub, and the backend reverses that operation and treats the decoded JSON as trusted authentication data.
The backend then accepts any truthy apiKey field in that decoded payload as sufficient authentication. No real API key validation is performed in this path.
As a result, an unauthenticated attacker can forge payloads such as:
{"apiKey":"x"}
or
{"userId":"victim-user-123","apiKey":"x"}
and access webapi routes as an authenticated user.
Confirmed PoC The following forged header was generated directly from the published XOR key using payload {"apiKey":"x"}:
X-lobe-chat-auth: N00DFSE+B1ngjQI0TR8=
That header decodes server-side to:
{"apiKey":"x"}
A simple request is:
curl 'https://TARGET/webapi/models/openai' \
-H 'X-lobe-chat-auth: N00DFSE+B1ngjQI0TR8='
If the deployment has OPENAI_API_KEY configured, the request should succeed without a real login and return the provider model list.
A forged impersonation payload also works conceptually:
{"userId":"victim-user-123","apiKey":"x"}
Impact
This is an unauthenticated authentication bypass.
An attacker can:
- access protected webapi routes without a valid session
- spend the deployment's server-side model provider credentials when env keys like OPENAI_API_KEY are configured
- impersonate another user's userId for routes that load per-user provider configuration
- invoke privileged backend model operations such as chat, model listing, model pulls, and ComfyUI image generation
Root Cause
The core issue is trusting unsigned client-supplied auth data:
- the auth header is only obfuscated, not authenticated
- the obfuscation key is hardcoded and recoverable from the repository
- the decoded apiKey field is treated as sufficient authentication even though it is never validated in this code path
- Suggested Remediation
- Stop treating X-lobe-chat-auth as an authentication token.
- Remove the apiKey truthiness check as an auth decision.
- Require a real server-validated session, OIDC token, or validated API key for all protected webapi routes.
- If a client payload is still needed, sign it server-side with an HMAC or replace it with a normal session-bound backend lookup.
- Affected Products
Ecosystem: npm
Package name: @lobehub/lobehub Affected versions: <= 2.1.47 Patched versions: 2.1.48
Severity Moderate Vector String CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L
Weaknesses CWE-287: Improper Authentication CWE-345: Insufficient Verification of Data Authenticity CWE-290: Authentication Bypass by Spoofing
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 2.1.47"
},
"package": {
"ecosystem": "npm",
"name": "@lobehub/lobehub"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "2.1.48"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-39411"
],
"database_specific": {
"cwe_ids": [
"CWE-287",
"CWE-290",
"CWE-345"
],
"github_reviewed": true,
"github_reviewed_at": "2026-04-08T15:04:30Z",
"nvd_published_at": "2026-04-08T20:16:25Z",
"severity": "MODERATE"
},
"details": "# Summary\n\nThe `webapi` authentication layer trusts a client-controlled `X-lobe-chat-auth` header that is only XOR-obfuscated, not signed or otherwise authenticated. Because the XOR key is hardcoded in the repository, an attacker can forge arbitrary auth payloads and bypass authentication on protected `webapi` routes.\n\nAffected routes include:\n- `POST /webapi/chat/[provider]`\n- `GET /webapi/models/[provider]`\n- `POST /webapi/models/[provider]/pull`\n- `POST /webapi/create-image/comfyui`\n\n## Details\n\nThe frontend creates `X-lobe-chat-auth` by XOR-obfuscating JSON with the static key `LobeHub \u00b7 LobeHub`, and the backend reverses that operation and treats the decoded JSON as trusted authentication data.\n\nThe backend then accepts any truthy `apiKey` field in that decoded payload as sufficient authentication. No real API key validation is performed in this path.\n\nAs a result, an unauthenticated attacker can forge payloads such as:\n\n```json\n{\"apiKey\":\"x\"} \n```\n\nor \n\n``` {\"userId\":\"victim-user-123\",\"apiKey\":\"x\"} ```\n\nand access webapi routes as an authenticated user.\n\nConfirmed PoC\nThe following forged header was generated directly from the published XOR key using payload {\"apiKey\":\"x\"}:\n\n\n``` X-lobe-chat-auth: N00DFSE+B1ngjQI0TR8= ```\n\nThat header decodes server-side to:\n\n``` {\"apiKey\":\"x\"}```\n\nA simple request is:\n\n``` curl \u0027https://TARGET/webapi/models/openai\u0027 \\\n -H \u0027X-lobe-chat-auth: N00DFSE+B1ngjQI0TR8=\u0027 ``` \n\nIf the deployment has OPENAI_API_KEY configured, the request should succeed without a real login and return the provider model list.\n\nA forged impersonation payload also works conceptually:\n\n``` {\"userId\":\"victim-user-123\",\"apiKey\":\"x\"} ``` \n\n### Impact\nThis is an unauthenticated authentication bypass.\n\nAn attacker can:\n\n1. access protected webapi routes without a valid session\n2. spend the deployment\u0027s server-side model provider credentials when env keys like OPENAI_API_KEY are configured\n3. impersonate another user\u0027s userId for routes that load per-user provider configuration\n4. invoke privileged backend model operations such as chat, model listing, model pulls, and ComfyUI image generation\n\n### Root Cause\nThe core issue is trusting unsigned client-supplied auth data:\n\n1. the auth header is only obfuscated, not authenticated\n2. the obfuscation key is hardcoded and recoverable from the repository\n3. the decoded apiKey field is treated as sufficient authentication even though it is never validated in this code path\n4. Suggested Remediation\n5. Stop treating X-lobe-chat-auth as an authentication token.\n6. Remove the apiKey truthiness check as an auth decision.\n7. Require a real server-validated session, OIDC token, or validated API key for all protected webapi routes.\n8. If a client payload is still needed, sign it server-side with an HMAC or replace it with a normal session-bound backend lookup.\n9. Affected Products\n\nEcosystem: npm\n\nPackage name: @lobehub/lobehub\nAffected versions: \u003c= 2.1.47\nPatched versions: 2.1.48\n\nSeverity\nModerate\nVector String\nCVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L\n\nWeaknesses\nCWE-287: Improper Authentication\nCWE-345: Insufficient Verification of Data Authenticity\nCWE-290: Authentication Bypass by Spoofing",
"id": "GHSA-5mwj-v5jw-5c97",
"modified": "2026-04-09T14:28:56Z",
"published": "2026-04-08T15:04:30Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/lobehub/lobehub/security/advisories/GHSA-5mwj-v5jw-5c97"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-39411"
},
{
"type": "WEB",
"url": "https://github.com/lobehub/lobehub/pull/13535"
},
{
"type": "WEB",
"url": "https://github.com/lobehub/lobehub/commit/3327b293d66c013f076cbc16cdbd05a61a3d0428"
},
{
"type": "PACKAGE",
"url": "https://github.com/lobehub/lobehub"
},
{
"type": "WEB",
"url": "https://github.com/lobehub/lobehub/releases/tag/v2.1.48"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L",
"type": "CVSS_V3"
}
],
"summary": "LobeHub: Unauthenticated authentication bypass on `webapi` routes via forgeable `X-lobe-chat-auth` header"
}
GHSA-5P8V-58QM-C7FP
Vulnerability from github – Published: 2022-09-21 21:33 – Updated: 2024-07-10 21:32Impact
An attacker who obtains a JWT can arbitrarily forge its contents without knowing the secret key. Depending on the application, this may for example enable the attacker to spoof other user's identities, hijack their sessions, or bypass authentication.
Patches
Users should upgrade to version 3.3.4 Fixed by: https://github.com/davedoesdev/python-jwt/commit/88ad9e67c53aa5f7c43ec4aa52ed34b7930068c9
Workarounds
None
References
Found by Tom Tervoort https://github.com/pypa/advisory-database/blob/main/vulns/python-jwt/PYSEC-2022-259.yaml
More information
The vulnerability allows an attacker, who possesses a single valid JWT, to create a new token with forged claims that the verify_jwt function will accept as valid.
The issue is caused by an inconsistency between the JWT parsers used by python-jwt and its dependency jwcrypto. By mixing compact and JSON representations, an attacker can trick jwcrypto of parsing different claims than those over which a signature is validated by jwcrypto.
Testing the fix has been added as an automated unit test to python-jwt.
If you have any questions or comments about this advisory, please open an issue in python-jwt
{
"affected": [
{
"package": {
"ecosystem": "PyPI",
"name": "python-jwt"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "3.3.4"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2022-39227"
],
"database_specific": {
"cwe_ids": [
"CWE-290"
],
"github_reviewed": true,
"github_reviewed_at": "2022-09-21T21:33:22Z",
"nvd_published_at": "2022-09-23T07:15:00Z",
"severity": "CRITICAL"
},
"details": "### Impact\nAn attacker who obtains a JWT can arbitrarily forge its contents without knowing the secret key. Depending on the application, this may for example enable the attacker to spoof other user\u0027s identities, hijack their sessions, or bypass authentication.\n\n### Patches\nUsers should upgrade to version 3.3.4\nFixed by: https://github.com/davedoesdev/python-jwt/commit/88ad9e67c53aa5f7c43ec4aa52ed34b7930068c9\n\n### Workarounds\nNone\n\n### References\nFound by [Tom Tervoort](Tom.Tervoort@secura.com)\nhttps://github.com/pypa/advisory-database/blob/main/vulns/python-jwt/PYSEC-2022-259.yaml\n\n### More information\n\nThe vulnerability allows an attacker, who possesses a single valid JWT, to create a new token with forged claims that the verify_jwt function will accept as valid.\n\nThe issue is caused by an inconsistency between the JWT parsers used by python-jwt and its dependency jwcrypto. By mixing compact and JSON representations, an attacker can trick jwcrypto of parsing different claims than those over which a signature is validated by jwcrypto.\n\nTesting the fix has been added as an [automated unit test](https://github.com/davedoesdev/python-jwt/blob/master/test/vulnerability_vows.py) to python-jwt.\n\nIf you have any questions or comments about this advisory, please open an issue in [python-jwt](https://github.com/davedoesdev/python-jwt)\n",
"id": "GHSA-5p8v-58qm-c7fp",
"modified": "2024-07-10T21:32:14Z",
"published": "2022-09-21T21:33:22Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/davedoesdev/python-jwt/security/advisories/GHSA-5p8v-58qm-c7fp"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-39227"
},
{
"type": "WEB",
"url": "https://github.com/davedoesdev/python-jwt/commit/6c5075469847b9e8b6e5336077d989d77a4d2bf1"
},
{
"type": "WEB",
"url": "https://github.com/davedoesdev/python-jwt/commit/88ad9e67c53aa5f7c43ec4aa52ed34b7930068c9"
},
{
"type": "PACKAGE",
"url": "https://github.com/davedoesdev/python-jwt"
},
{
"type": "WEB",
"url": "https://github.com/pypa/advisory-database/blob/main/vulns/python-jwt/PYSEC-2022-259.yaml"
},
{
"type": "WEB",
"url": "https://www.vicarius.io/vsociety/posts/authentication-bypass-in-python-jwt"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N",
"type": "CVSS_V4"
}
],
"summary": "python-jwt vulnerable to token forgery with new claims"
}
GHSA-5QXP-CR8V-39PX
Vulnerability from github – Published: 2026-05-19 15:31 – Updated: 2026-05-20 18:31Spoofing issue in the Form Autofill component. This vulnerability was fixed in Firefox 151 and Firefox ESR 140.11.
{
"affected": [],
"aliases": [
"CVE-2026-8961"
],
"database_specific": {
"cwe_ids": [
"CWE-290"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-05-19T14:16:52Z",
"severity": "MODERATE"
},
"details": "Spoofing issue in the Form Autofill component. This vulnerability was fixed in Firefox 151 and Firefox ESR 140.11.",
"id": "GHSA-5qxp-cr8v-39px",
"modified": "2026-05-20T18:31:33Z",
"published": "2026-05-19T15:31:33Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-8961"
},
{
"type": "WEB",
"url": "https://bugzilla.mozilla.org/show_bug.cgi?id=1962625"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2026-46"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2026-48"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2026-50"
},
{
"type": "WEB",
"url": "https://www.mozilla.org/security/advisories/mfsa2026-51"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-5RJJ-25HF-WF28
Vulnerability from github – Published: 2022-05-24 17:43 – Updated: 2022-05-24 17:43An issue was discovered in Scytl sVote 2.1. Because the IP address from an X-Forwarded-For header (which can be manipulated client-side) is used for the internal application logs, an attacker can inject wrong IP addresses into these logs.
{
"affected": [],
"aliases": [
"CVE-2019-25023"
],
"database_specific": {
"cwe_ids": [
"CWE-290"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-02-27T05:15:00Z",
"severity": "MODERATE"
},
"details": "An issue was discovered in Scytl sVote 2.1. Because the IP address from an X-Forwarded-For header (which can be manipulated client-side) is used for the internal application logs, an attacker can inject wrong IP addresses into these logs.",
"id": "GHSA-5rjj-25hf-wf28",
"modified": "2022-05-24T17:43:21Z",
"published": "2022-05-24T17:43:21Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-25023"
},
{
"type": "WEB",
"url": "https://suid.ch/research/CVE-2019-25023.html"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-5VH2-6VMQ-FW7J
Vulnerability from github – Published: 2025-11-20 15:30 – Updated: 2025-11-20 15:30An attacker could take over a Looker account in a Looker instance configured with OIDC authentication, due to email address string normalization.Looker-hosted and Self-hosted were found to be vulnerable.
This issue has already been mitigated for Looker-hosted.
Self-hosted instances must be upgraded as soon as possible. This vulnerability has been patched in all supported versions of Self-hosted. The versions below have all been updated to protect from this vulnerability. You can download these versions at the Looker download page https://download.looker.com/ : * 24.12.100+ * 24.18.193+ * 25.0.69+ * 25.6.57+ * 25.8.39+ * 25.10.22+ * 25.12.0+
{
"affected": [],
"aliases": [
"CVE-2025-12414"
],
"database_specific": {
"cwe_ids": [
"CWE-290"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-11-20T15:17:23Z",
"severity": "CRITICAL"
},
"details": "An attacker could take over a Looker account in a Looker instance configured with OIDC authentication, due to email address string normalization.Looker-hosted and Self-hosted were found to be vulnerable.\n\nThis issue has already been mitigated for Looker-hosted.\n\n\nSelf-hosted instances must be upgraded as soon as possible. This vulnerability has been patched in all supported versions of Self-hosted.\nThe versions below have all been updated to protect from this vulnerability. You can download these versions at the Looker download page https://download.looker.com/ :\n * 24.12.100+\n * 24.18.193+\n * 25.0.69+\n * 25.6.57+\n * 25.8.39+\n * 25.10.22+\n * 25.12.0+",
"id": "GHSA-5vh2-6vmq-fw7j",
"modified": "2025-11-20T15:30:22Z",
"published": "2025-11-20T15:30:22Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-12414"
},
{
"type": "WEB",
"url": "https://cloud.google.com/support/bulletins#GCP-2025-067"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:Amber",
"type": "CVSS_V4"
}
]
}
GHSA-627P-RR78-99RJ
Vulnerability from github – Published: 2021-12-20 17:56 – Updated: 2025-07-22 16:13Impact
Installations which use the GitLab auth connector are vulnerable to identity spoofing by way of configuring a GitLab account with the same full name as another GitLab user who is granted access to a Concourse team by having their full name listed under users in the team configuration or given to the --gitlab-user flag.
See the GitLab auth docs for details.
Concourse installations which do not configure the GitLab auth connector are not affected.
Patches
Concourse v6.3.1 and v6.4.1 were both released with a fix on August 4th, 2020.
Both versions change the GitLab connector to use the username, rather than the full name. This was always the intent, and the previous behavior was originally reported as a bug (concourse/dex#7) prior to being reported as a security issue.
Any Concourse teams which configure GitLab users will have to switch each user from their full name to their username upon upgrading to these versions.
Workarounds
GitLab groups do not have this vulnerability, so GitLab users may be moved into groups which are then configured in the Concourse team.
References
- concourse/dex#12: PR with the fix
For more information
If you have any questions or comments about this advisory, you may reach us privately at concourseteam+security@gmail.com.
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/concourse/concourse"
},
"ranges": [
{
"events": [
{
"introduced": "6.4.0"
},
{
"fixed": "6.4.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"6.4.0"
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 6.3.0"
},
"package": {
"ecosystem": "Go",
"name": "github.com/concourse/concourse"
},
"ranges": [
{
"events": [
{
"introduced": "1.6.1"
},
{
"fixed": "6.3.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/concourse/dex"
},
"ranges": [
{
"events": [
{
"introduced": "6.4.0"
},
{
"fixed": "6.4.1"
}
],
"type": "ECOSYSTEM"
}
],
"versions": [
"6.4.0"
]
},
{
"database_specific": {
"last_known_affected_version_range": "\u003c 6.3.0"
},
"package": {
"ecosystem": "Go",
"name": "github.com/concourse/dex"
},
"ranges": [
{
"events": [
{
"introduced": "0.0.0"
},
{
"fixed": "6.3.1"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/concourse/dex"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.0-20200730150203-821b48abfd88"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/concourse/concourse"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "0.0.0-20200730151558-b00d1c8d8576"
}
],
"type": "ECOSYSTEM"
}
]
},
{
"package": {
"ecosystem": "Go",
"name": "github.com/concourse/concourse"
},
"ranges": [
{
"events": [
{
"introduced": "0.0.0"
},
{
"fixed": "1.6.1-0.20200730151558-b00d1c8d8576"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2020-5415"
],
"database_specific": {
"cwe_ids": [
"CWE-290"
],
"github_reviewed": true,
"github_reviewed_at": "2021-05-24T17:56:03Z",
"nvd_published_at": null,
"severity": "HIGH"
},
"details": "### Impact\n\nInstallations which use the GitLab auth connector are vulnerable to identity spoofing by way of configuring a GitLab account with the same full name as another GitLab user who is granted access to a Concourse team by having their full name listed under `users` in the team configuration or given to the `--gitlab-user` flag.\n\nSee the [GitLab auth docs](https://concourse-ci.org/gitlab-auth.html) for details.\n\nConcourse installations which do not configure the GitLab auth connector are not affected.\n\n### Patches\n\nConcourse [v6.3.1](https://github.com/concourse/concourse/releases/tag/v6.3.1) and [v6.4.1](https://github.com/concourse/concourse/releases/tag/v6.4.1) were both released with a fix on August 4th, 2020.\n\nBoth versions change the GitLab connector to use the username, rather than the full name. This was always the intent, and the previous behavior was originally reported as a bug (concourse/dex#7) prior to being reported as a security issue.\n\nAny Concourse teams which configure GitLab users will have to switch each user from their full name to their username upon upgrading to these versions.\n\n### Workarounds\n\nGitLab groups do not have this vulnerability, so GitLab users may be moved into groups which are then configured in the Concourse team.\n\n### References\n\n* concourse/dex#12: PR with the fix\n\n### For more information\n\nIf you have any questions or comments about this advisory, you may reach us privately at [concourseteam+security@gmail.com](mailto:concourseteam+security@gmail.com).",
"id": "GHSA-627p-rr78-99rj",
"modified": "2025-07-22T16:13:01Z",
"published": "2021-12-20T17:56:03Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/concourse/concourse/security/advisories/GHSA-627p-rr78-99rj"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-5415"
},
{
"type": "WEB",
"url": "https://tanzu.vmware.com/security/cve-2020-5415"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "GitLab auth uses full name instead of username as user ID, allowing impersonation"
}
No mitigation information available for this CWE.
CAPEC-21: Exploitation of Trusted Identifiers
An adversary guesses, obtains, or "rides" a trusted identifier (e.g. session ID, resource ID, cookie, etc.) to perform authorized actions under the guise of an authenticated user or service.
CAPEC-22: Exploiting Trust in Client
An attack of this type exploits vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by communicating directly with the server where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.
CAPEC-459: Creating a Rogue Certification Authority Certificate
An adversary exploits a weakness resulting from using a hashing algorithm with weak collision resistance to generate certificate signing requests (CSR) that contain collision blocks in their "to be signed" parts. The adversary submits one CSR to be signed by a trusted certificate authority then uses the signed blob to make a second certificate appear signed by said certificate authority. Due to the hash collision, both certificates, though different, hash to the same value and so the signed blob works just as well in the second certificate. The net effect is that the adversary's second X.509 certificate, which the Certification Authority has never seen, is now signed and validated by that Certification Authority.
CAPEC-461: Web Services API Signature Forgery Leveraging Hash Function Extension Weakness
An adversary utilizes a hash function extension/padding weakness, to modify the parameters passed to the web service requesting authentication by generating their own call in order to generate a legitimate signature hash (as described in the notes), without knowledge of the secret token sometimes provided by the web service.
CAPEC-473: Signature Spoof
An attacker generates a message or datablock that causes the recipient to believe that the message or datablock was generated and cryptographically signed by an authoritative or reputable source, misleading a victim or victim operating system into performing malicious actions.
CAPEC-476: Signature Spoofing by Misrepresentation
An attacker exploits a weakness in the parsing or display code of the recipient software to generate a data blob containing a supposedly valid signature, but the signer's identity is falsely represented, which can lead to the attacker manipulating the recipient software or its victim user to perform compromising actions.
CAPEC-59: Session Credential Falsification through Prediction
This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.
CAPEC-60: Reusing Session IDs (aka Session Replay)
This attack targets the reuse of valid session ID to spoof the target system in order to gain privileges. The attacker tries to reuse a stolen session ID used previously during a transaction to perform spoofing and session hijacking. Another name for this type of attack is Session Replay.
CAPEC-667: Bluetooth Impersonation AttackS (BIAS)
An adversary disguises the MAC address of their Bluetooth enabled device to one for which there exists an active and trusted connection and authenticates successfully. The adversary can then perform malicious actions on the target Bluetooth device depending on the target’s capabilities.
CAPEC-94: Adversary in the Middle (AiTM)
An adversary targets the communication between two components (typically client and server), in order to alter or obtain data from transactions. A general approach entails the adversary placing themself within the communication channel between the two components.