CVE-2026-42300

CRITICAL SEVERITY

Vulnerability Description

DevGuard provides vulnerability management for the full software supply chain. Prior to 1.2.2, the SessionMiddleware accepts a client-supplied X-Admin-Token HTTP request header and uses its raw string value as the authenticated userID when no Kratos session cookie is present. An unauthenticated attacker who knows or can guess a target user's Kratos identity UUID can issue requests as that user. Where the target user is an organisation admin or owner, this gives the attacker full control over that organisation's DevGuard resources. This vulnerability is fixed in 1.2.2.

Vulnerability Details

Published Date

May 05, 2026

Last Modified

May 13, 2026

CWE ID

CWE-288

Source

GitHub

Vendor

Product

github.com/l3montree-dev/devguard

External References

https://github.com/l3montree-dev/devguard/security/advisories/GHSA-2g9v-7mr5-fgjg
https://github.com/l3montree-dev/devguard/commit/6f38310bf93b2a63df3055038f4da82b1f4e6d9a
https://github.com/advisories/GHSA-2g9v-7mr5-fgjg

CVE-2026-42300

Vulnerability Description

Vulnerability Details

External References

Discussion (0)

Add Comment