CVE-2026-15542
Received Received - Intake

Improper Authentication in Isaiah Websocket Connection

Vulnerability report for CVE-2026-15542, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-13

Last updated on: 2026-07-13

Assigner: VulDB

Description

A vulnerability has been found in will-moss Isaiah up to 1.36.9. This affects an unknown function of the file app/main.go of the component Websocket Connection Authentication. The manipulation leads to improper authentication. The attack can be initiated remotely. The pull request to fix this issue awaits acceptance.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-13
Last Modified
2026-07-13
Generated
2026-07-13
AI Q&A
2026-07-13
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
will-moss isaiah to 1.36.9 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in the Isaiah application when Forward Proxy Authentication is enabled. The application authenticates WebSocket sessions based solely on a configured HTTP header without verifying the request's origin or ensuring it comes from a trusted proxy.

If the backend is directly accessible to untrusted clients or if a reverse proxy forwards user-supplied authentication headers instead of overwriting them, an attacker can bypass normal password authentication by supplying the expected header during the WebSocket handshake.

The root cause is that the application does not enforce a trust boundary to verify that authentication headers come only from trusted proxies, allowing potential exploitation if the backend is exposed or headers are improperly forwarded.

Impact Analysis

If exploited, an unauthenticated attacker could gain access to authenticated application functions by bypassing normal authentication.

This could expose sensitive information such as Docker container metadata, logs, environment variables, and management operations.

Depending on the deployment and access to the Docker daemon, this could lead to administrative compromise of the system.

Detection Guidance

This vulnerability can be detected by checking if the Isaiah application is configured with forward proxy authentication enabled and if it accepts authentication headers from untrusted sources. Specifically, verify if the environment variable FORWARD_PROXY_AUTHENTICATION_ENABLED is set to true, and if the FORWARD_PROXY_AUTHENTICATION_HEADER_KEY and FORWARD_PROXY_AUTHENTICATION_HEADER_VALUE are configured, especially if the value is set to a wildcard "*".

You should also check if the backend is directly accessible to untrusted clients or if a reverse proxy forwards user-supplied authentication headers instead of overwriting them, which can lead to exploitation.

  • Inspect the environment variables or configuration files for FORWARD_PROXY_AUTHENTICATION_ENABLED, FORWARD_PROXY_AUTHENTICATION_HEADER_KEY, and FORWARD_PROXY_AUTHENTICATION_HEADER_VALUE.
  • Use network scanning or firewall rules to verify if the backend service is exposed directly to untrusted networks.
  • Check HTTP headers during WebSocket handshake requests to see if the configured authentication header is accepted without verifying the request origin.

Example commands to detect the vulnerability might include:

  • Using curl or similar tools to send WebSocket handshake requests with the configured authentication header from an untrusted source to see if authentication is bypassed.
  • grep or cat commands to inspect configuration files or environment variables, e.g., `grep FORWARD_PROXY_AUTHENTICATION /path/to/config` or `printenv | grep FORWARD_PROXY_AUTHENTICATION`.
  • nmap or similar tools to check if the backend service port is accessible from untrusted networks.
Mitigation Strategies

To mitigate this vulnerability immediately, ensure that the backend service is not directly accessible to untrusted clients and that any reverse proxy in front of the backend properly overwrites or strips user-supplied authentication headers.

Disable the forward proxy authentication feature by setting FORWARD_PROXY_AUTHENTICATION_ENABLED to false if it is not strictly necessary.

If forward proxy authentication must be used, configure the new trust boundary introduced in the fix by specifying trusted proxy IP addresses or CIDR ranges in the FORWARD_PROXY_AUTHENTICATION_TRUSTED_PROXIES setting. This ensures that authentication headers are only accepted from trusted proxies.

Apply the patch or update from the pull request that enforces this trust boundary once it is accepted and available.

Review and restrict network access to the backend service to prevent direct access from untrusted sources.

Compliance Impact

The vulnerability allows an attacker to bypass authentication remotely by exploiting improper verification of WebSocket connection headers. This can lead to unauthorized access to sensitive Docker container metadata, logs, environment variables, and management operations.

Such unauthorized access to sensitive data and administrative functions could result in violations of data protection regulations like GDPR or HIPAA, which require strict access controls and protection of personal or sensitive information.

Therefore, if exploited, this vulnerability may compromise compliance with these standards by exposing protected data and failing to enforce proper authentication and access controls.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-15542. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart