CVE-2026-58488 in HedgeDocinfo

Summary

by MITRE • 07/14/2026

HedgeDoc is an open source, real-time, collaborative, markdown notes application. Versions prior to 1.11.0 allowed attackers to circumvent the rate-limiting of the /login and /register routes by spoofing IP addresses. HedgeDoc instances checked for CloudFlare's cf-connecting-ip header and used that instead of the users real IP address, if the header was present even when the request did not originate from Cloudflare. This made it possible for an attacker to spam login requests or create multiple arbitrary accounts by sending another cf-connecting-ip header every few requests. The issue has been fixed in version 1.11.0.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 07/14/2026

HedgeDoc represents a significant vulnerability in its authentication security model that allowed attackers to bypass critical rate-limiting protections designed to prevent abuse of login and registration endpoints. This flaw existed in versions prior to 1.11.0 and exploited the application's trust in CloudFlare's cf-connecting-ip header mechanism, which is commonly used to identify the original IP address of clients behind a proxy or CDN service. The vulnerability stems from improper validation of the cf-connecting-ip header, where the system accepted this header value without verifying that the request actually originated from Cloudflare's infrastructure.

The technical implementation of this flaw permitted attackers to manipulate the authentication system through simple header injection techniques that spoofed legitimate IP addresses. When HedgeDoc encountered a cf-connecting-ip header in incoming requests, it would automatically trust and utilize this value for rate-limiting calculations regardless of whether the request actually passed through CloudFlare's network. This fundamental security weakness enabled malicious actors to flood login endpoints with repeated attempts or create numerous fake accounts by cycling through different IP addresses via the spoofed header field. The attack vector was particularly effective because it required minimal sophistication and could be executed at scale without detection, as each request appeared to originate from a different IP address according to the system's rate-limiting logic.

The operational impact of this vulnerability extends beyond simple account creation abuse to encompass potential credential stuffing attacks, denial-of-service scenarios, and unauthorized access attempts that could compromise user data integrity. Attackers could systematically overwhelm the authentication system with requests while maintaining the appearance of legitimate users, making it difficult for administrators to distinguish between normal usage patterns and malicious activity. This weakness directly violates security principles related to input validation and trust boundaries, as demonstrated by CWE-284 which addresses improper access control and CWE-352 which covers cross-site request forgery vulnerabilities. The vulnerability also aligns with ATT&CK technique T1110.003 for credential stuffing attacks and T1499.004 for denial of service through resource exhaustion.

Organizations running HedgeDoc instances prior to version 1.11.0 faced significant exposure to automated abuse campaigns that could rapidly deplete system resources while creating unauthorized user accounts. The fix implemented in version 1.11.0 addressed this by strengthening header validation logic to ensure that cf-connecting-ip values are only trusted when requests genuinely originate from CloudFlare's infrastructure, rather than accepting the header blindly regardless of network provenance. This mitigation approach aligns with security best practices for handling forwarded headers and demonstrates proper implementation of trust boundaries within web applications. System administrators should immediately upgrade to version 1.11.0 or later to eliminate this vulnerability, while also implementing additional monitoring for suspicious authentication patterns and reviewing access logs for potential abuse indicators that may have occurred during the vulnerable period.

Responsible

GitHub M

Reservation

06/30/2026

Disclosure

07/14/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

low

Sources

Interested in the pricing of exploits?

See the underground prices here!