CVE-2026-45577

Name of the Vulnerable Software and Affected Versions Neotoma versions 0.6.0 through 0.11.0

Description Neotoma can treat public reverse-proxied requests as local when the application receives them over a loopback socket and no Bearer token is present. This occurs in deployments behind a reverse proxy or same-host tunnel that forwards traffic to the Node process over loopback. The REST auth middleware may resolve these unauthenticated requests as the local development user, allowing unauthorized access to production data via the hosted Inspector and related API surface without credentials.

Recommendations Update to version 0.11.1.