CVE-2026-58169

Name of the Vulnerable Software and Affected Versions Vibe-Trading versions prior to 0.1.10

Description The local API server trusts the TCP peer address to bypass the API AUTH KEY bearer-token check for loopback clients and lacks Host header validation while binding to 0.0.0.0 with credentialed CORS by default. This allows a DNS-rebinding web page to issue authenticated requests to the local API as a trusted loopback client. Since loopback requests auto-enable shell tools, an attacker can access the 'POST /swarm/runs' endpoint using a built-in preset that permits the bash tool to achieve remote code execution as the API process user. Additionally, this bypass enables starting the live runner and overwriting LLM and data-source settings to redirect provider traffic and exfiltrate credentials.

Recommendations Update Vibe-Trading to version 0.1.10 or later.