CVE-2026-42889

Name of the Vulnerable Software and Affected Versions Relay Server versions 0.9.0 through 0.9.6

Description An authentication bypass exists in the multi-document WebSocket endpoints. When authentication is enabled, WebSocket connections lacking a token query parameter are incorrectly granted full server permissions. This allows an unauthenticated network attacker who possesses or guesses a document ID to connect to the document sync WebSocket and read or modify document contents without a valid document token.

Recommendations Update Relay Server to version 0.9.7.