CVE

CVE-2026-42300

DevGuard has an unauthenticated identity assertion via `X-Admin-Token` header

CVE

CVE-2026-42300

DevGuard has an unauthenticated identity assertion via `X-Admin-Token` header

Impact

The SessionMiddleware accepts a client-supplied X-Admin-Token HTTP request header and uses its raw string value as the authenticated userID when no Kratos session cookie is present. An unauthenticated attacker who knows or can guess a target user's Kratos identity UUID can issue requests as that user. Where the target user is an organisation admin or owner, this gives the attacker full control over that organisation's DevGuard resources.

Patches

The release v1.2.2 patches this issue. Update your DevGuard API Instances to this version.

Workarounds

Configure a reverse proxy to strip the X-Admin-Token header before sending requests to the DevGuard API.

Resources

Fixed commit: https://github.com/l3montree-dev/devguard/commit/6f38310bf93b2a63df3055038f4da82b1f4e6d9a

Package Versions Affected

No items found.

Automatically patch vulnerabilities without upgrading

Fix Without Upgrading

Detect compatible fix

Apply safe remediation

Fix with a single pull request

CVSS Version

Related Resources

No items found.

References

https://github.com/l3montree-dev/devguard/security/advisories/GHSA-2g9v-7mr5-fgjg, https://github.com/l3montree-dev/devguard/commit/6f38310bf93b2a63df3055038f4da82b1f4e6d9a, https://github.com/l3montree-dev/devguard

Severity

0

CVSS Score

Basic Information

Ecosystem

Base CVSS

EPSS Probability

EPSS Percentile

Introduced Version

Fix Available

1.2.2

Fix Critical Vulnerabilities Instantly

Secure your app without upgrading.

Fix Without Upgrading

Get a Demo

Let's Patch It!

CVE-2026-42300

CVE-2026-42300

Impact

Patches

Workarounds

Resources

Package Versions Affected

Automatically patch vulnerabilities without upgrading

CVSS Version

Related Resources

References

Severity

0

Basic Information

Fix Critical Vulnerabilities Instantly