CVE-2026-28678 identifies a vulnerability in the toxicbishop DSA-with-tsx product, an interactive educational web application known as DSA Study Hub. The issue lies in the user authentication system implemented in server/routes/auth.js, where JSON Web Tokens (JWTs) used for authentication were stored in HTTP cookies without cryptographic protection of the payload. This means the JWTs were susceptible to interception and tampering during transmission or via client-side attacks such as cross-site scripting (XSS). The vulnerability is classified under CWE-311 (Missing Encryption of Sensitive Data) and CWE-522 (Insufficiently Protected Credentials). The lack of encryption on authentication tokens compromises confidentiality and integrity, allowing attackers to potentially hijack user sessions or impersonate users. The vulnerability was present in all versions prior to commit d527fba, which introduced cryptographic protection for the JWT payload in cookies, effectively mitigating the risk. The CVSS v3.1 score of 8.1 reflects a network attack vector with low complexity, no privileges required, but user interaction needed (e.g., tricking a user to visit a malicious site). The scope is unchanged, but the impact on confidentiality and integrity is high, while availability is unaffected. No known exploits are currently reported in the wild, but the vulnerability poses a significant risk due to the sensitive nature of authentication tokens and the widespread use of JWTs in web applications.

The primary impact of this vulnerability is the compromise of user authentication tokens, which can lead to unauthorized access to user accounts and sensitive data within the DSA Study Hub application. Attackers who intercept or manipulate JWTs can impersonate legitimate users, potentially gaining access to personal information, educational content, or administrative functions depending on user roles. This undermines user trust and can lead to data breaches, privacy violations, and reputational damage for organizations deploying the affected software. Since the vulnerability requires user interaction but no privileges, phishing or social engineering attacks could facilitate exploitation. The lack of encryption on tokens also increases the risk in environments where network traffic can be monitored or manipulated, such as public Wi-Fi or compromised networks. Although availability is not directly impacted, the integrity and confidentiality breaches can have cascading effects on organizational security posture and compliance with data protection regulations.

Organizations using toxicbishop DSA-with-tsx should immediately update to the patched version containing commit d527fba or later, which implements cryptographic protection of JWT payloads in cookies. Beyond patching, it is critical to enforce secure cookie attributes such as Secure, HttpOnly, and SameSite flags to reduce the risk of token theft via client-side attacks. Implementing Content Security Policy (CSP) headers can mitigate cross-site scripting risks that might expose tokens. Additionally, monitoring authentication logs for unusual token usage or session anomalies can help detect exploitation attempts. Employing network-level protections such as TLS encryption for all communications is essential to prevent interception. Educating users about phishing risks and enforcing multi-factor authentication (MFA) can further reduce the impact of compromised tokens. Regular security audits and code reviews focusing on credential storage and transmission practices should be institutionalized to prevent similar vulnerabilities.