CVE-2026-15557
Received Received - Intake

BaseFortify

Vulnerability report for CVE-2026-15557, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-13

Last updated on: 2026-07-13

Assigner: VulDB

Description

A weakness has been identified in waooAI waoowaoo up to 0.4.1. Affected by this vulnerability is the function getInternalTaskSession/getAuthSession/requireUserAuth/requireProjectAuth/requireProjectAuthLight in the library src/lib/api-auth.ts of the component Internal Task Header Handler. This manipulation of the argument x-internal-user-id request causes improper authentication. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-13
Last Modified
2026-07-13
Generated
2026-07-13
AI Q&A
2026-07-13
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
waooai waoowaoo to 0.4.1 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-15557 is an authentication bypass vulnerability in the waooAI waoowaoo platform up to version 0.4.1. The issue occurs because the application improperly trusts certain internal request headers, such as `x-internal-user-id` and `x-internal-task-token`, to create authenticated sessions.

An attacker can exploit this by sending manipulated headers with a known default or public token (often found in default configurations) along with any arbitrary user ID. This allows the attacker to impersonate any user without proper authentication.

The root cause is insufficient validation of session identity keys and exposure of internal task headers to external clients, leading to improper authentication.

Impact Analysis

This vulnerability can allow an attacker to bypass authentication and impersonate any user on the waooAI waoowaoo platform.

  • Unauthorized access to sensitive user data.
  • Access to project information that should be restricted.
  • Unauthorized use of API functionalities.

The risk is especially high in non-production environments or default deployments where tokens are unset or unchanged, making exploitation easier.

Detection Guidance

This vulnerability can be detected by checking if your system or network is accepting and trusting the headers `x-internal-user-id` and `x-internal-task-token` from external requests. Specifically, you should verify if the default or public tokens shipped with the software (such as those in `docker-compose.yml` or `.env.example`) are still in use, as these allow attackers to impersonate any user.

You can inspect incoming HTTP requests to see if these headers are present and whether they are being accepted without proper validation.

  • Use network traffic monitoring tools like tcpdump or Wireshark to capture HTTP requests and filter for the headers `x-internal-user-id` and `x-internal-task-token`.
  • Run commands such as: `curl -v -H "x-internal-user-id: test" -H "x-internal-task-token: <token>" http://your-waoowaoo-instance/api` to test if the server accepts these headers and grants access.
  • Check your deployment files for default tokens by inspecting `docker-compose.yml` or `.env.example` files for token values.
Mitigation Strategies

Immediate mitigation steps include enforcing strong token requirements and rejecting any default or public tokens that come with the software.

You should separate internal-worker identities from end-user identities to prevent misuse of internal headers.

Additionally, configure your proxy or gateway to strip out the `x-internal-user-id` and `x-internal-task-token` headers from any external requests to prevent attackers from injecting them.

Review and update your deployment configurations to ensure no default tokens remain active.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-15557. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart