CVE-2026-48518
Received Received - Intake
BaseFortify

Publication date: 2026-06-15

Last updated on: 2026-06-15

Assigner: GitHub, Inc.

Description
MultiJuicer is used to run separate Juice Shop instances on a central kubernetes cluster without the need for local instances. In versions 8.0.0 through 10.0.0, the team join endpoint (POST /multi-juicer/api/teams/{team}/join) accepted requests with any Content-Type, including text/plain. Because that content type does not trigger a CORS preflight, an attacker could host a cross-site HTML form that auto-submits to the endpoint and forces a victim's browser to log in as the attacker's team. A successful, undetected attacker can cause victims to unwittingly solve Juice Shop challenges under the attacker's team identity. In a CTF context this lets the attacker inflate their team's score using other players' activity, and any sensitive data the victim enters into "their" Juice Shop ends up in the attacker's instance. The vulnerability is exploitable without any prior authentication; the victim only needs to visit a page the attacker controls while having network access to the MultiJuicer deployment. SameSite=Strict on the session cookie does not mitigate this, because the attack plants a new cookie rather than relying on an existing one. This issue was fixed in version 10.0.1.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-15
Last Modified
2026-06-15
Generated
2026-06-16
AI Q&A
2026-06-16
EPSS Evaluated
N/A
NVD
CVE-2026-48518
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in MultiJuicer versions 8.0.0 through 10.0.0, specifically in the team join endpoint (POST /multi-juicer/api/teams/{team}/join). The endpoint accepts requests with any Content-Type, including text/plain, which does not trigger a CORS preflight check.

An attacker can exploit this by hosting a cross-site HTML form that auto-submits to the endpoint, causing a victim's browser to log in as the attacker's team without the victim's knowledge or consent.

This attack does not require prior authentication and only requires the victim to visit a page controlled by the attacker while having network access to the MultiJuicer deployment.

The attack works by planting a new session cookie rather than relying on an existing one, so protections like SameSite=Strict on cookies do not prevent it.

In a Capture The Flag (CTF) context, this allows the attacker to inflate their team's score using other players' activity and access any sensitive data the victim enters into the Juice Shop under the attacker's team identity.

This vulnerability was fixed in MultiJuicer version 10.0.1.

Impact Analysis

This vulnerability can impact you by allowing an attacker to hijack your session and force your browser to log in as the attacker's team without your knowledge.

As a result, any actions you take, such as solving challenges in the Juice Shop, will be attributed to the attacker's team, potentially inflating their score unfairly.

Additionally, any sensitive data you enter while logged in under the attacker's team identity could be exposed to the attacker.

This attack requires only that you visit a page controlled by the attacker while having network access to the MultiJuicer deployment, making it relatively easy to exploit.

Mitigation Strategies

To mitigate this vulnerability, upgrade MultiJuicer to version 10.0.1 or later, where the issue has been fixed.

Additionally, consider restricting or validating the Content-Type header on the team join endpoint to prevent acceptance of unsafe content types like text/plain.

Ensure users are aware of the risk of visiting untrusted web pages while connected to the MultiJuicer deployment.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-48518. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart