{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/mobile-api/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["code100x Mobile API"],"_cs_severities":["high"],"_cs_tags":["authentication-bypass","mobile-api","cve-2026-8890","credential-access","privilege-escalation"],"_cs_type":"advisory","_cs_vendors":["code100x"],"content_html":"\u003cp\u003eAn authentication bypass vulnerability exists within the code100x Mobile API. This flaw, identified as CVE-2026-8890, allows unauthenticated attackers to impersonate arbitrary users, including administrators. The vulnerability stems from insufficient validation of the \u0026lsquo;Auth-Key\u0026rsquo; HTTP header within the middleware.ts file. By supplying a crafted JSON payload within the \u0026lsquo;g\u0026rsquo; HTTP header, an attacker can bypass authentication and inject a spoofed user identity header. This spoofed identity is then accepted as trusted by the downstream route handler, leading to unauthorized access to course data and other sensitive information. This issue poses a significant risk to user privacy and data security, potentially enabling attackers to access, modify, or delete user accounts and course content.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request targeting the Mobile API.\u003c/li\u003e\n\u003cli\u003eThe request includes an \u0026lsquo;Auth-Key\u0026rsquo; header with an arbitrary value to trigger the bypass condition.\u003c/li\u003e\n\u003cli\u003eThe request also includes a \u0026lsquo;g\u0026rsquo; HTTP header containing a crafted JSON payload with the attacker\u0026rsquo;s desired user identity.\u003c/li\u003e\n\u003cli\u003eThe middleware in middleware.ts skips identity header generation due to the presence of the \u0026lsquo;Auth-Key\u0026rsquo; header.\u003c/li\u003e\n\u003cli\u003eThe crafted JSON payload in the \u0026lsquo;g\u0026rsquo; header is used to create a spoofed user identity header.\u003c/li\u003e\n\u003cli\u003eThe downstream route handler, such as the mobile courses endpoint, trusts the spoofed user identity header.\u003c/li\u003e\n\u003cli\u003eThe attacker gains unauthorized access to course data, impersonating the targeted user or administrator.\u003c/li\u003e\n\u003cli\u003eThe attacker can then perform actions as the impersonated user, such as viewing, modifying, or deleting course data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-8890 allows unauthenticated attackers to impersonate any user, including administrators, within the code100x Mobile API. This could lead to unauthorized access to sensitive course data, modification of user accounts, and potential disruption of services. The vulnerability poses a significant risk to the confidentiality, integrity, and availability of the platform. The specific number of affected users is currently unknown, but all users of the code100x Mobile API are potentially at risk.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eApply the patch or update provided by code100x to address CVE-2026-8890 to remediate the authentication bypass vulnerability.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect code100x Mobile API Authentication Bypass Attempt\u003c/code\u003e to identify exploitation attempts based on the presence of the \u0026lsquo;Auth-Key\u0026rsquo; header and a crafted \u0026lsquo;g\u0026rsquo; header.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for HTTP requests containing the \u0026lsquo;Auth-Key\u0026rsquo; header in combination with a \u0026lsquo;g\u0026rsquo; header, focusing on requests targeting the Mobile API endpoints, as indicated by the rule \u003ccode\u003eDetect code100x Mobile API Authentication Bypass Attempt\u003c/code\u003e.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-26T19:19:47Z","date_published":"2026-05-26T19:19:47Z","id":"https://feed.craftedsignal.io/briefs/2026-05-code100x-auth-bypass/","summary":"code100x Mobile API contains an authentication bypass vulnerability (CVE-2026-8890) allowing unauthenticated attackers to impersonate arbitrary users by crafting a JSON payload in the 'g' HTTP header, skipping identity header validation and granting unauthorized access to course data.","title":"code100x Mobile API Authentication Bypass Vulnerability (CVE-2026-8890)","url":"https://feed.craftedsignal.io/briefs/2026-05-code100x-auth-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — Mobile-Api","version":"https://jsonfeed.org/version/1.1"}