CVE-2026-42300

Name of the Vulnerable Software and Affected Versions DevGuard versions prior to 1.2.2

Description An authentication bypass exists in the SessionMiddleware where the system accepts a client-supplied X-Admin-Token HTTP request header. When no Kratos session cookie is present, the raw string value of this header is used as the authenticated userID. An unauthenticated attacker who possesses or guesses a target user's Kratos identity UUID can issue requests as that user. If the target user is an organization admin or owner, the attacker can gain full administrative control over the organization's resources.

Recommendations Update to version 1.2.2. Configure a reverse proxy to strip the X-Admin-Token header before sending requests to the API.