CVE-2026-49231

Authentication Bypass by Spoofing vulnerability in opa plugin. An attacker could relay spoofed identity headers to upstream capitalising on non-default configuration in opa plugin. This could allow the attacker to assume higher privileges on the upstream service. This issue affects Apache APISIX:...

EUVD-2026-38020

Authentication Bypass by Spoofing vulnerability in opa plugin. An attacker could relay spoofed identity headers to upstream capitalising on non-default configuration in opa plugin. This could allow the attacker to assume higher privileges on the upstream service. This issue affects Apache APISIX:...

User Impersonation

Overview Affected versions of this package are vulnerable to User Impersonation via spoofed X-Crabbox-Owner and X-Crabbox-Org headers in requests authenticated with a shared token. An attacker can gain unauthorized access to owner or organization-scoped lease operations by injecting malicious...

EUVD-2026-30369

Crabbox prior to v0.12.0 contains an authentication bypass vulnerability that allows non-admin shared-token callers to impersonate other owners or organizations by spoofing identity headers. Attackers can inject malicious X-Crabbox-Owner and X-Crabbox-Org headers in requests authenticated with a...

PT-2026-40979

Summary A vulnerability in Fleet's IP extraction logic allows unauthenticated attackers to bypass API rate limiting by spoofing client IP headers. This may allow brute-force login attempts or other abuse against Fleet instances exposed to the public internet. Impact Fleet extracted client IP...

Missing Authentication for Critical Function

Overview Affected versions of this package are vulnerable to Missing Authentication for Critical Function in the ServeHTTP function, which does not sufficiently sanitize X- alias headers. An attacker can gain unauthenticated access to protected endpoints by injecting spoofed trust context with...

Missing Authentication for Critical Function

Overview Affected versions of this package are vulnerable to Missing Authentication for Critical Function in the ServeHTTP function, which does not sufficiently sanitize X- alias headers. An attacker can gain unauthenticated access to protected endpoints by injecting spoofed trust context with...

CVE-2026-29794

Vikunja is an open-source self-hosted task management platform. Starting in version 0.8 and prior to version 2.2.0, unauthenticated users are able to bypass the application's built-in rate-limits by spoofing the X-Forwarded-For or X-Real-IP headers due to the rate-limit relying on the value of...

GO-2026-4791 Vikunja has a Rate-Limit Bypass for Unauthenticated Users via Spoofed Headers in code.vikunja.io/api

Vikunja has a Rate-Limit Bypass for Unauthenticated Users via Spoofed Headers in code.vikunja.io/api. NOTE: The source advisory for this report contains additional versions that could not be automatically mapped to standard Go module versions. If this is causing false-positive reports from...

EUVD-2026-13706

Vikunja has a Rate-Limit Bypass for Unauthenticated Users via Spoofed Headers...

GHSA-M547-HP4W-J6JX Vikunja has a Rate-Limit Bypass for Unauthenticated Users via Spoofed Headers

Summary Unauthenticated users are able to bypass the application's built-in rate-limits by spoofing the X-Forwarded-For or X-Real-IP headers due to the rate-limit relying on the value of echo.Context.RealIP. Details In the first file below, the rate-limit for unauthenticated users can be observed...

CVE-2026-29794 Vikunja has Rate-Limit Bypass for Unauthenticated Users via Spoofed Headers

Vikunja is an open-source self-hosted task management platform. Starting in version 0.8 and prior to version 2.2.0, unauthenticated users are able to bypass the application's built-in rate-limits by spoofing the X-Forwarded-For or X-Real-IP headers due to the rate-limit relying on the value of...

CVE-2026-29794 Vikunja has Rate-Limit Bypass for Unauthenticated Users via Spoofed Headers

Vikunja is an open-source self-hosted task management platform. Starting in version 0.8 and prior to version 2.2.0, unauthenticated users are able to bypass the application's built-in rate-limits by spoofing the X-Forwarded-For or X-Real-IP headers due to the rate-limit relying on the value of...

CVE-2026-29794

Vikunja (open-source self-hosted task management) before version 2.2.0 is affected by a rate-limit bypass vulnerability. The issue arises because rate-limiting is enforced using (echo.Context).RealIP, and unauthenticated requests can spoof headers X-Forwarded-For or X-Real-IP to bypass limits. Th...

CVE-2026-29794 Vikunja has Rate-Limit Bypass for Unauthenticated Users via Spoofed Headers

Vikunja is an open-source self-hosted task management platform. Starting in version 0.8 and prior to version 2.2.0, unauthenticated users are able to bypass the application's built-in rate-limits by spoofing the X-Forwarded-For or X-Real-IP headers due to the rate-limit relying on the value of...

Vikunja has a Rate-Limit Bypass for Unauthenticated Users via Spoofed Headers

Unauthenticated users are able to bypass the application's built-in rate-limits by spoofing the X-Forwarded-For or X-Real-IP headers due to the rate-limit relying on the value of echo.Context.RealIP...

CVE-2025-69240

Raytha CMS contains a vulnerability where an attacker can spoof X-Forwarded-Host or Host headers to direct a password reset email to a attacker-controlled domain. If a victim clicks the reset link, the token is exposed to the attacker, enabling password reset and account takeover. The issue is do...

CVE-2026-28465

OpenClaw's voice-call plugin versions before 2026.2.3 contain an improper authentication vulnerability in webhook verification that allows remote attackers to bypass verification by supplying untrusted forwarded headers. Attackers can spoof webhook events by manipulating Forwarded or X-Forwarded-...

CVE-2026-21862 RustFS sourceIp bypass via spoofed X-Forwarded-For/Real-IP headers

RustFS is a distributed object storage system built in Rust. Prior to version alpha.78, IP-based access control can be bypassed: getconditionvalues trusts client-supplied X-Forwarded-For/X-Real-Ip without verifying a trusted proxy, so any reachable client can spoof aws:SourceIp and satisfy...

CVE-2026-21862

RustFS had an authorization bypass vulnerability in IP-based access control prior to alpha.78. The get_condition_values logic trusts client-supplied X-Forwarded-For/X-Real-IP without proxy verification, allowing reachable clients to spoof aws:SourceIp and defeat IP allowlists. This can enable una...