What is GHSA-qggg-4j5m-mx55?

GHSA-qggg-4j5m-mx55 is a security advisory published by GitHub Security Advisories with High severity. code100x contains an authentication bypass vulnerability in the Mobile API that allows...

Which CVE IDs does GHSA-qggg-4j5m-mx55 cover?

GHSA-qggg-4j5m-mx55 covers the following CVE IDs: CVE-2026-8890. Each CVE has its own detail page on EchelonGraph Pulse with the synthesized EG score.

What is the CVSS v3 score of GHSA-qggg-4j5m-mx55?

GHSA-qggg-4j5m-mx55 has a CVSS v3 base score of 8.2, published by GitHub Security Advisories.

GHSA-qggg-4j5m-mx55HighCVSS 8.2

code100x contains an authentication bypass vulnerability in the Mobile API that allows...

Vendor

GitHub Security Advisories

Published

May 26, 2026

Last Modified

May 26, 2026

🔗 CVE IDs covered (1)

CVE-2026-8890 →

📋 Description

code100x contains an authentication bypass vulnerability in the Mobile API that allows unauthenticated attackers to impersonate arbitrary users by supplying a crafted JSON payload in the 'g' HTTP header. The middleware in middleware.ts skips identity header generation when an Auth-Key header is present without validating its value, allowing attackers to inject a spoofed user identity header that the downstream route handler in the mobile courses endpoint accepts as trusted, granting unauthorized access to course data belonging to any enrolled user or administrator.

🔗 References (7)

https://nvd.nist.gov/vuln/detail/CVE-2026-8890
https://github.com/code100x/cms/issues/1924
https://github.com/code100x/cms/pull/1927
https://github.com/code100x/cms/pull/1927/changes/88c6c5e94e23da101235c4c7e9c7591ac1016549
https://github.com/code100x/cms/pull/1927/changes/90b489ee7c63c301107d6374d4b3f2b8e4060fe5
https://www.vulncheck.com/advisories/code100x-mobile-api-authentication-bypass-via-header-spoofing
https://github.com/advisories/GHSA-qggg-4j5m-mx55