CVE-2026-45577

Neotoma provides versioned records that persist across agent runs. From 0.6.0 to before 0.11.1, Neotoma can treat public reverse-proxied requests as local when the app receives them over a loopback socket and no Bearer token is present. In affected deployments, the REST auth middleware can resolve unauthenticated requests as the local development user, making the hosted Inspector and related API surface reachable without credentials. This vulnerability is fixed in 0.11.1.

CVSS

No CVSS.

References

Link	Resource
https://github.com/markmhendrickson/neotoma/releases/tag/v0.11.1
https://github.com/markmhendrickson/neotoma/security/advisories/GHSA-5cvp-p7p4-mcx9

Configurations

No configuration.

History

29 May 2026, 18:17

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-05-29 18:17

Updated : 2026-06-01 18:45

NVD link : CVE-2026-45577

Mitre link : CVE-2026-45577

CVE.ORG link : CVE-2026-45577

JSON object : View

Products Affected

No product.

CWE

CWE-288

Authentication Bypass Using an Alternate Path or Channel

CWE-306

Missing Authentication for Critical Function

{"id": "CVE-2026-45577", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 6.9, "Automatable": "NOT_DEFINED", "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "NONE", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "LOW", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-05-29T18:17:10.007", "references": [{"url": "https://github.com/markmhendrickson/neotoma/releases/tag/v0.11.1", "source": "security-advisories@github.com"}, {"url": "https://github.com/markmhendrickson/neotoma/security/advisories/GHSA-5cvp-p7p4-mcx9", "source": "security-advisories@github.com"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Primary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-288"}, {"lang": "en", "value": "CWE-306"}]}], "descriptions": [{"lang": "en", "value": "Neotoma provides versioned records that persist across agent runs. From 0.6.0 to before 0.11.1, Neotoma can treat public reverse-proxied requests as local when the app receives them over a loopback socket and no Bearer token is present. In affected deployments, the REST auth middleware can resolve unauthenticated requests as the local development user, making the hosted Inspector and related API surface reachable without credentials. This vulnerability is fixed in 0.11.1."}], "lastModified": "2026-06-01T18:45:39.580", "sourceIdentifier": "security-advisories@github.com"}