CVE-2026-42300: CWE-288: Authentication Bypass Using an Alternate Path or Channel in l3montree-dev devguard
DevGuard provides vulnerability management for the full software supply chain. Prior to 1.2.2, the SessionMiddleware accepts a client-supplied X-Admin-Token HTTP request header and uses its raw string value as the authenticated userID when no Kratos session cookie is present. An unauthenticated attacker who knows or can guess a target user's Kratos identity UUID can issue requests as that user. Where the target user is an organisation admin or owner, this gives the attacker full control over that organisation's DevGuard resources. This vulnerability is fixed in 1.2.2.
AI Analysis
Technical Summary
DevGuard versions before 1.2.2 contain an authentication bypass vulnerability (CWE-288) due to improper validation of the X-Admin-Token HTTP header in SessionMiddleware. When no Kratos session cookie is present, the middleware trusts the raw string value of this header as the authenticated user ID. This allows unauthenticated attackers who can guess or know a user's Kratos identity UUID to impersonate that user. If the impersonated user is an organization admin or owner, the attacker gains full administrative control over that organization's DevGuard resources. The vulnerability is rated critical with a CVSS 4.0 score of 9.3. The issue is fixed in DevGuard version 1.2.2.
Potential Impact
An unauthenticated attacker can bypass authentication by supplying a crafted X-Admin-Token header containing a valid Kratos identity UUID. This enables the attacker to impersonate any user, including organization admins or owners, thereby gaining full control over the targeted organization's DevGuard resources. This can lead to unauthorized access, modification, or disruption of vulnerability management operations within the affected organization.
Mitigation Recommendations
Upgrade DevGuard to version 1.2.2 or later, where this vulnerability is fixed. Since the advisory states the issue is resolved in 1.2.2, applying this official fix is the recommended remediation. Patch status is not explicitly confirmed beyond this version indication, so verify with the vendor advisory before deployment.
CVE-2026-42300: CWE-288: Authentication Bypass Using an Alternate Path or Channel in l3montree-dev devguard
Description
DevGuard provides vulnerability management for the full software supply chain. Prior to 1.2.2, the SessionMiddleware accepts a client-supplied X-Admin-Token HTTP request header and uses its raw string value as the authenticated userID when no Kratos session cookie is present. An unauthenticated attacker who knows or can guess a target user's Kratos identity UUID can issue requests as that user. Where the target user is an organisation admin or owner, this gives the attacker full control over that organisation's DevGuard resources. This vulnerability is fixed in 1.2.2.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
DevGuard versions before 1.2.2 contain an authentication bypass vulnerability (CWE-288) due to improper validation of the X-Admin-Token HTTP header in SessionMiddleware. When no Kratos session cookie is present, the middleware trusts the raw string value of this header as the authenticated user ID. This allows unauthenticated attackers who can guess or know a user's Kratos identity UUID to impersonate that user. If the impersonated user is an organization admin or owner, the attacker gains full administrative control over that organization's DevGuard resources. The vulnerability is rated critical with a CVSS 4.0 score of 9.3. The issue is fixed in DevGuard version 1.2.2.
Potential Impact
An unauthenticated attacker can bypass authentication by supplying a crafted X-Admin-Token header containing a valid Kratos identity UUID. This enables the attacker to impersonate any user, including organization admins or owners, thereby gaining full control over the targeted organization's DevGuard resources. This can lead to unauthorized access, modification, or disruption of vulnerability management operations within the affected organization.
Mitigation Recommendations
Upgrade DevGuard to version 1.2.2 or later, where this vulnerability is fixed. Since the advisory states the issue is resolved in 1.2.2, applying this official fix is the recommended remediation. Patch status is not explicitly confirmed beyond this version indication, so verify with the vendor advisory before deployment.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-26T12:13:55.552Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a036fcccbff5d86100cc52f
Added to database: 5/12/2026, 6:22:04 PM
Last enriched: 5/12/2026, 6:36:52 PM
Last updated: 5/13/2026, 3:57:22 AM
Views: 6
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.