Submit #855187: waooAI waoowaoo 0.4.1 Improper Authenticationinfo

TitlewaooAI waoowaoo 0.4.1 Improper Authentication
DescriptionA vulnerability was found in waooAI waoowaoo 0.4.1 and classified as high severity. Affected is the internal task authentication logic in src/lib/api-auth.ts. The application constructs an authenticated user session from the x-internal-user-id request header when the internal task token is accepted. In non-production environments where INTERNAL_TASK_TOKEN is unset, the x-internal-user-id header alone is accepted. In deployments that keep the published default/example INTERNAL_TASK_TOKEN values from docker-compose.yml or .env.example, an attacker can provide the known token together with x-internal-user-id and impersonate that user. The manipulation of the x-internal-user-id and x-internal-task-token headers leads to an authentication bypass and user impersonation. It is possible to launch the attack remotely against network-reachable deployments. Authentication required: no. User interaction required: no. Technical Details - Affected file/function: src/lib/api-auth.ts / getInternalTaskSession(), getAuthSession(), requireUserAuth(), requireProjectAuth(), requireProjectAuthLight() - Vulnerable parameter: x-internal-user-id request header - Related parameter: x-internal-task-token request header - Attack vector: Network - Privileges required: None - Trigger condition: the deployment has no INTERNAL_TASK_TOKEN in a non-production environment, or keeps a public default/example INTERNAL_TASK_TOKEN value such as the one shipped in docker-compose.yml or .env.example Impact - Confidentiality: High - Integrity: High - Availability: Low Representative impact includes reading user balance/cost information, listing user projects and project previews, accessing or modifying project and asset-library data, and triggering generation/task APIs as the impersonated user. Direct remote code execution was not observed. CVSS v3.1 Score: 7.7 (High) Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L The attack requires a valid target user UUID for targeted impersonation, so attack complexity is assessed as High. If user IDs are exposed by another issue or operational leakage, the request itself is reliable. Timeline - Discovered: 2026-06-10 - Vendor notified: 2026-06-10 - Patch released: [unknown] - Public disclosure: 2026-06-10 Countermeasure Require INTERNAL_TASK_TOKEN to be present, private, high entropy, and different from any published default/example value before accepting internal task headers. Refuse startup when the token is empty or equal to known defaults. Separate internal-worker identity from normal end-user sessions, and strip or reject externally supplied x-internal-* headers unless the request originates from a trusted internal source.
Source⚠️ https://github.com/waooAI/waoowaoo/issues/200
User
 Dem0000000 (UID 98743)
Submission06/10/2026 17:14 (1 month ago)
Moderation07/13/2026 07:03 (1 month later)
StatusAccepted
VulDB entry377906 [waooAI waoowaoo up to 0.4.1 Internal Task Header src/lib/api-auth.ts x-internal-user-id request improper authentication]
Points20

Want to stay up to date on a daily basis?

Enable the mail alert feature now!