CVE-2026-8890 code100x CVE debrief

Who should care

Organizations running code100x CMS with Mobile API enabled; security teams responsible for API authentication controls; developers maintaining Next.js/Node.js middleware authentication flows

Technical summary

The code100x CMS Mobile API contains an authentication bypass in middleware.ts. When an Auth-Key header is present, the middleware skips identity header generation without validating the Auth-Key value. Attackers can inject a spoofed user identity via a crafted 'g' HTTP header containing JSON, which downstream route handlers accept as trusted. This allows unauthenticated impersonation of arbitrary users, including administrators, granting unauthorized access to course data.

Defensive priority

HIGH

Recommended defensive actions

• Review middleware.ts to ensure Auth-Key header presence triggers validation, not unconditional bypass of identity generation
• Implement strict validation of all authentication headers before trusting downstream identity injection
• Audit mobile courses endpoint and other route handlers to verify they do not accept externally supplied identity headers without cryptographic verification
• Deploy patches from code100x/cms pull request 1927
• Monitor access logs for requests containing 'g' headers with JSON payloads to detect potential exploitation attempts
• Rotate session credentials and review access logs for unauthorized course data access between disclosure and patching

Evidence notes

Vulnerability disclosed via Vulncheck advisory. GitHub issue 1924 documents the report; pull request 1927 contains remediation commits. CVSS 4.0 vector confirms network attack vector with low attack complexity and no privileges required.

Official resources