PT-2026-54912 · Npm · @Acastellon/Auth

Hackchang

·

Published

2026-06-18

·

Updated

2026-07-02

·

CVE-2026-58399

CVSS v4.0

9.3

Critical

VectorAV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N
Name of the Vulnerable Software and Affected Versions @acastellon/auth versions prior to 2.3.0
Description An authentication bypass exists in the validateToken() middleware. The issue stems from improper trust in spoofable request headers and flawed request flow control, which allows the next() function to be called before authentication checks are completed. Specifically, a service-to-service bypass is triggered when the auth-user header is set to service-brother and the Host header starts with the value returned by getHostName(). Since both the auth-user and Host headers are controlled by the client, a remote unauthenticated attacker can craft these headers to skip legacy, JWT, or OIDC token validation, potentially leading to unauthorized access, privilege escalation, and lateral movement.
Recommendations Update to version 2.3.0.

Fix

Improper Authentication

Authentication Bypass by Spoofing

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-58399
GHSA-GFJ5-979R-92PW

Affected Products

@Acastellon/Auth