PT-2026-54912 · Npm · @Acastellon/Auth
Hackchang
·
Published
2026-06-18
·
Updated
2026-07-02
·
CVE-2026-58399
CVSS v4.0
9.3
Critical
| Vector | AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N |
Name of the Vulnerable Software and Affected Versions
@acastellon/auth versions prior to 2.3.0
Description
An authentication bypass exists in the
validateToken() middleware. The issue stems from improper trust in spoofable request headers and flawed request flow control, which allows the next() function to be called before authentication checks are completed. Specifically, a service-to-service bypass is triggered when the auth-user header is set to service-brother and the Host header starts with the value returned by getHostName(). Since both the auth-user and Host headers are controlled by the client, a remote unauthenticated attacker can craft these headers to skip legacy, JWT, or OIDC token validation, potentially leading to unauthorized access, privilege escalation, and lateral movement.Recommendations
Update to version 2.3.0.
Fix
Improper Authentication
Authentication Bypass by Spoofing
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
@Acastellon/Auth