Shravan Manne

**Name of the Vulnerable Software and Affected Versions** code100x (affected versions not specified) **Description** An authentication bypass exists in the Mobile API. Unauthenticated attackers can impersonate arbitrary users by providing a crafted JSON payload in the 'g' HTTP header. This occurs because the middleware in `middleware.ts` skips identity header generation when an `Auth-Key` header is present without validating its value. Consequently, attackers can inject a spoofed user identity header that the downstream route handler in the mobile courses endpoint trusts, granting unauthorized access to course data of administrators or enrolled users. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.