CVE-2026-8890

Name of the Vulnerable Software and Affected Versions code100x (affected versions not specified)

Description An authentication bypass exists in the Mobile API. Unauthenticated attackers can impersonate arbitrary users by providing a crafted JSON payload in the 'g' HTTP header. This occurs because the middleware in middleware.ts skips identity header generation when an Auth-Key header is present without validating its value. Consequently, attackers can inject a spoofed user identity header that the downstream route handler in the mobile courses endpoint trusts, granting unauthorized access to course data of administrators or enrolled users.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.