PatchSiren cyber security CVE debrief
CVE-2026-45577 markmhendrickson CVE debrief
## Summary Neotoma (versions 0.6.0 to before 0.11.1) contains an authentication bypass vulnerability where public reverse-proxied requests received over a loopback socket without a Bearer token are incorrectly treated as local requests. This allows the REST auth middleware to resolve unauthenticated requests as the local development user, exposing the hosted Inspector and related API surface without credentials. ## Technical Details The vulnerability stems from improper authentication logic in Neotoma's REST auth middleware. When the application receives requests over a loopback socket (127.0.0.1/::1) that originate from a public reverse proxy, and no Bearer token is present, the middleware incorrectly classifies these as local development requests. This trust boundary violation occurs because the middleware relies on socket-level source address rather than transport-level authentication or explicit local-only binding. The affected code path: 1. Receives HTTP request on loopback interface 2. Absence of Bearer token triggers local-user fallback 3. Request resolved as local development user 4. Grants access to Inspector UI and administrative API endpoints This is particularly dangerous in containerized or reverse-proxy deployments where the application binds to localhost but receives externally-sourced traffic. ## Affected Versions - **Vulnerable**: 0.6.0 through 0.11.0 (inclusive) - **Patched**: 0.11.1 and later ## Risk Assessment **CVSS 4.0 Score**: 6.9 (MEDIUM) The vulnerability enables unauthenticated access to potentially sensitive debugging and administrative interfaces. While the attack requires a specific deployment configuration (reverse proxy → loopback socket), this pattern is common in containerized environments using sidecar proxies or local load balancers. The Inspector interface may expose: - Application state and configuration - Potentially sensitive logged data - Administrative control surfaces ## Detection Guidance Review deployments for: 1. Neotoma versions 0.6.0–0.11.0 2. Binding configuration: `127.0.0.1` or `::1` with external traffic 3. Reverse proxy architecture (nginx, Envoy, cloud load balancers) 4. Absence of network-level m
- Vendor
- markmhendrickson
- Product
- neotoma
- CVSS
- MEDIUM 6.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-29
- Original CVE updated
- 2026-05-29
- Advisory published
- 2026-05-29
- Advisory updated
- 2026-05-29
Who should care
Organizations running Neotoma in containerized or reverse-proxy deployments, particularly those exposing debugging or administrative interfaces.
Technical summary
Improper authentication in Neotoma 0.6.0–0.11.0 treats reverse-proxied public requests as local when received on loopback socket without Bearer token, granting unauthenticated access to Inspector and administrative APIs.
Defensive priority
medium
Recommended defensive actions
- Upgrade Neotoma to version 0.11.1 or later
- If immediate upgrade is not possible, implement network-level access controls to restrict loopback-bound traffic to legitimate proxy sources
- Review access logs for unexpected unauthenticated requests to /inspector or administrative API endpoints
- Consider binding Neotoma to a Unix domain socket or dedicated network interface rather than loopback when behind reverse proxies
- Verify reverse proxy configuration does not forward external X-Forwarded-* headers that might confuse origin detection
Evidence notes
Vulnerability description and fix version confirmed via GitHub Security Advisory and release notes. CVSS vector from NVD modified feed. CWE-288 (Authentication Bypass) and CWE-306 (Missing Authentication for Critical Function) identified in source metadata.
Official resources
2026-05-29