PT-2026-57913 · Hedgedoc · Hedgedoc

Published

2026-07-13

·

Updated

2026-07-13

·

CVE-2026-58488

CVSS v4.0

6.9

Medium

VectorAV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
HedgeDoc is an open source, real-time, collaborative, markdown notes application. Versions prior to 1.11.0 allowed attackers to circumvent the rate-limiting of the /login and /register routes by spoofing IP addresses. HedgeDoc instances checked for CloudFlare's cf-connecting-ip header and used that instead of the users real IP address, if the header was present even when the request did not originate from Cloudflare. This made it possible for an attacker to spam login requests or create multiple arbitrary accounts by sending another cf-connecting-ip header every few requests. The issue has been fixed in version 1.11.0.

Fix

Authentication Bypass by Spoofing

Allocation of Resources Without Limits

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2026-58488

Affected Products

Hedgedoc