CVE-2026-58169 - Vibe-Trading < 0.1.10 - Loopback Trust and Missing Host Validation Enable DNS-Rebinding Authentication Bypass and Remote Code Execution
CVE ID :CVE-2026-58169
Published : June 30, 2026, 3:52 p.m. | 2 hours, 50 minutes ago
Description :Vibe-Trading before 0.1.10's local API server trusts the TCP peer address to bypass the API_AUTH_KEY bearer-token check for loopback clients and performs no Host header validation, while binding to 0.0.0.0 with credentialed CORS by default. A DNS-rebinding web page can therefore issue authenticated requests to the local API as a trusted loopback client. Because loopback requests also auto-enable shell tools, an attacker can reach POST /swarm/runs with a built-in preset that permits the bash tool and achieve remote code execution as the API process user; the same bypass allows starting the live runner and overwriting LLM and data-source settings to redirect provider traffic and exfiltrate credentials.
Severity: 7.7 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
Published : June 30, 2026, 3:52 p.m. | 2 hours, 50 minutes ago
Description :Vibe-Trading before 0.1.10's local API server trusts the TCP peer address to bypass the API_AUTH_KEY bearer-token check for loopback clients and performs no Host header validation, while binding to 0.0.0.0 with credentialed CORS by default. A DNS-rebinding web page can therefore issue authenticated requests to the local API as a trusted loopback client. Because loopback requests also auto-enable shell tools, an attacker can reach POST /swarm/runs with a built-in preset that permits the bash tool and achieve remote code execution as the API process user; the same bypass allows starting the live runner and overwriting LLM and data-source settings to redirect provider traffic and exfiltrate credentials.
Severity: 7.7 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...