| शीर्षक | waooAI waoowaoo 0.4.1 Improper Authentication |
|---|
| विवरण | A vulnerability was found in waooAI waoowaoo 0.4.1 and classified as high severity.
Affected is the internal task authentication logic in src/lib/api-auth.ts. The application
constructs an authenticated user session from the x-internal-user-id request header when
the internal task token is accepted. In non-production environments where INTERNAL_TASK_TOKEN
is unset, the x-internal-user-id header alone is accepted. In deployments that keep the
published default/example INTERNAL_TASK_TOKEN values from docker-compose.yml or .env.example,
an attacker can provide the known token together with x-internal-user-id and impersonate
that user.
The manipulation of the x-internal-user-id and x-internal-task-token headers leads to an
authentication bypass and user impersonation. It is possible to launch the attack remotely
against network-reachable deployments. Authentication required: no. User interaction
required: no.
Technical Details
- Affected file/function: src/lib/api-auth.ts / getInternalTaskSession(), getAuthSession(), requireUserAuth(), requireProjectAuth(), requireProjectAuthLight()
- Vulnerable parameter: x-internal-user-id request header
- Related parameter: x-internal-task-token request header
- Attack vector: Network
- Privileges required: None
- Trigger condition: the deployment has no INTERNAL_TASK_TOKEN in a non-production environment, or keeps a public default/example INTERNAL_TASK_TOKEN value such as the one shipped in docker-compose.yml or .env.example
Impact
- Confidentiality: High
- Integrity: High
- Availability: Low
Representative impact includes reading user balance/cost information, listing user projects
and project previews, accessing or modifying project and asset-library data, and triggering
generation/task APIs as the impersonated user. Direct remote code execution was not observed.
CVSS v3.1
Score: 7.7 (High)
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L
The attack requires a valid target user UUID for targeted impersonation, so attack complexity
is assessed as High. If user IDs are exposed by another issue or operational leakage, the
request itself is reliable.
Timeline
- Discovered: 2026-06-10
- Vendor notified: 2026-06-10
- Patch released: [unknown]
- Public disclosure: 2026-06-10
Countermeasure
Require INTERNAL_TASK_TOKEN to be present, private, high entropy, and different from any
published default/example value before accepting internal task headers. Refuse startup when
the token is empty or equal to known defaults. Separate internal-worker identity from normal
end-user sessions, and strip or reject externally supplied x-internal-* headers unless the
request originates from a trusted internal source. |
|---|
| स्रोत | ⚠️ https://github.com/waooAI/waoowaoo/issues/200 |
|---|
| उपयोगकर्ता | Dem0000000 (UID 98743) |
|---|
| सबमिशन | 10/06/2026 05:14 PM (1 महीना पहले) |
|---|
| संयम | 13/07/2026 07:03 AM (1 month later) |
|---|
| स्थिति | स्वीकृत |
|---|
| VulDB प्रविष्टि | 377906 [waooAI waoowaoo तक 0.4.1 Internal Task Header src/lib/api-auth.ts x-internal-user-id request कमजोर प्रमाणीकरण] |
|---|
| अंक | 20 |
|---|