{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/vendors/l3montree-dev/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":["devguard","devguard API"],"_cs_severities":["critical"],"_cs_tags":["authentication","authorization","privilege_escalation","web_application"],"_cs_type":"advisory","_cs_vendors":["GitHub","l3montree-dev"],"content_html":"\u003cp\u003eDevGuard versions prior to 1.2.2 are susceptible to an unauthenticated identity assertion vulnerability. The \u003ccode\u003eSessionMiddleware\u003c/code\u003e component improperly handles the \u003ccode\u003eX-Admin-Token\u003c/code\u003e HTTP header, using its value directly as the authenticated \u003ccode\u003euserID\u003c/code\u003e when a Kratos session cookie is absent. This allows an attacker to impersonate any user, including organization administrators or owners, by knowing or guessing their Kratos identity UUID. Successful exploitation grants the attacker complete control over the targeted organization\u0026rsquo;s DevGuard resources. The vulnerability was patched in version 1.2.2. This issue poses a significant risk to organizations using affected DevGuard versions, potentially leading to unauthorized access, data breaches, and complete compromise of DevGuard resources.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a target DevGuard instance running a version prior to 1.2.2.\u003c/li\u003e\n\u003cli\u003eThe attacker obtains or guesses the Kratos identity UUID of a target user, ideally an organization admin or owner.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP request to the DevGuard API, including the \u003ccode\u003eX-Admin-Token\u003c/code\u003e header set to the target user\u0026rsquo;s Kratos identity UUID.\u003c/li\u003e\n\u003cli\u003eThe DevGuard \u003ccode\u003eSessionMiddleware\u003c/code\u003e processes the request. Since no Kratos session cookie is present, it trusts the \u003ccode\u003eX-Admin-Token\u003c/code\u003e header.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003eSessionMiddleware\u003c/code\u003e incorrectly authenticates the request as the user specified in the \u003ccode\u003eX-Admin-Token\u003c/code\u003e header.\u003c/li\u003e\n\u003cli\u003eThe attacker, now impersonating the target user, sends further API requests to access and manipulate organization resources.\u003c/li\u003e\n\u003cli\u003eIf the impersonated user is an organization administrator or owner, the attacker gains full control over the organization\u0026rsquo;s DevGuard resources.\u003c/li\u003e\n\u003cli\u003eThe attacker may then create new users, modify existing resources, delete data, or perform other administrative actions.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an unauthenticated attacker to assume the identity of any user, including organization administrators or owners, within affected DevGuard instances. For administrative users, this leads to complete control over the organization\u0026rsquo;s DevGuard resources, allowing for unauthorized data access, modification, or deletion. The impact could range from data breaches to complete compromise of the targeted organization\u0026rsquo;s DevGuard infrastructure.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eUpgrade all DevGuard API instances to version 1.2.2 to remediate the vulnerability as mentioned in the release notes.\u003c/li\u003e\n\u003cli\u003eImplement a reverse proxy to strip the \u003ccode\u003eX-Admin-Token\u003c/code\u003e header from all incoming requests to the DevGuard API as a workaround.\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for the presence of the \u003ccode\u003eX-Admin-Token\u003c/code\u003e header in requests lacking a valid Kratos session cookie, using the provided Sigma rule to detect potential exploitation attempts.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-05-06T12:00:00Z","date_published":"2026-05-06T12:00:00Z","id":"/briefs/2026-05-devguard-auth-bypass/","summary":"DevGuard versions before 1.2.2 are vulnerable to unauthenticated identity assertion via a client-supplied `X-Admin-Token` HTTP request header, potentially granting attackers full control over organizations if they can guess an admin/owner's Kratos identity UUID.","title":"DevGuard Unauthenticated Identity Assertion via X-Admin-Token","url":"https://feed.craftedsignal.io/briefs/2026-05-devguard-auth-bypass/"}],"language":"en","title":"CraftedSignal Threat Feed — L3montree-Dev","version":"https://jsonfeed.org/version/1.1"}