CVE-2026-58399
Received Received - Intake

Authentication Bypass in @acastellon/auth via Spoofable Headers

Vulnerability report for CVE-2026-58399, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-01

Last updated on: 2026-07-01

Assigner: GitHub, Inc.

Description

@acastellon/auth is an authentication control system for microservices. Versions prior to 2.3.0 appear to allow an unauthenticated authentication bypass in validateToken() through spoofable auth-user and Host request headers. The validateToken middleware contains a service-to-service bypass for auth-user: service-brother when req.get('host').startsWith(getHostName()). Both values involved in the check can be influenced by an unauthenticated HTTP client: auth-user is a request header, and Host is also client-controlled. As a result, a remote unauthenticated attacker can send a request with crafted headers and bypass token validation before the normal legacy/JWT/OIDC validation logic runs. A fix has been implemented in v2.3.0.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-01
Last Modified
2026-07-01
Generated
2026-07-01
AI Q&A
2026-07-01
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
acastellon auth to 2.3.0 (exc)
acastellon auth 2.3.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-287 When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in versions prior to 2.3.0 of the @acastellon/auth package, specifically in the validateToken() function. It allows an unauthenticated attacker to bypass authentication by spoofing the auth-user and Host HTTP request headers.

The validateToken middleware contains a service-to-service bypass that checks if the auth-user header is set to "service-brother" and if the Host header starts with a specific hostname. Both headers are client-controlled and can be manipulated by an attacker.

By sending crafted requests with these spoofed headers, the attacker can bypass token validation before the normal authentication logic (legacy/JWT/OIDC) runs, potentially gaining unauthorized access to protected routes.

Compliance Impact

This vulnerability allows unauthenticated attackers to bypass authentication controls by spoofing headers, potentially granting unauthorized access to protected routes and leading to privilege escalation in some deployments.

Such unauthorized access could result in exposure or misuse of sensitive data, which may impact compliance with standards and regulations like GDPR or HIPAA that require strict access controls and protection of personal or sensitive information.

However, the provided information does not explicitly discuss the direct impact on compliance with these regulations.

Impact Analysis

This vulnerability can allow a remote unauthenticated attacker to bypass authentication controls, gaining unauthorized access to protected routes or services.

If downstream services rely on headers like auth-user or is-* for authorization, this flaw could lead to privilege escalation, allowing attackers to perform actions or access data beyond their intended permissions.

Detection Guidance

This vulnerability can be detected by monitoring for HTTP requests that contain suspicious or crafted auth-user and Host headers attempting to bypass authentication.

Specifically, look for requests where the auth-user header is set to "service-brother" and the Host header starts with the service's hostname, as these are indicators of the bypass attempt.

You can use network monitoring or log analysis tools to filter for such requests.

  • Using tcpdump or similar tools to capture HTTP traffic and grep for suspicious headers, e.g.:
  • tcpdump -A -s 0 'tcp port 80 or tcp port 443' | grep -i 'auth-user: service-brother'
  • Or analyze web server logs for requests with auth-user=service-brother and Host headers starting with your service hostname.
Mitigation Strategies

The immediate mitigation step is to upgrade the @acastellon/auth package to version 2.3.0 or later, where the vulnerability has been fixed.

Version 2.3.0 removes the spoofable bypass, sanitizes incoming auth-user and is-* headers, and implements mutual TLS (mTLS) client certificate authentication for enhanced security.

Until the upgrade can be applied, consider implementing network-level filtering to block requests with suspicious auth-user and Host headers that could exploit this bypass.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-58399. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart