SessionMiddleware Vulnerability in DevGuard Affects User Authentication
CVE-2026-42300

9.3CRITICAL

Key Information:

Vendor: L3montree-dev
Status: Devguard
Vendor: CVE Published:; 12 May 2026

🔔 Create L3montree-dev Vulnerability Alert

What is CVE-2026-42300?

The SessionMiddleware in DevGuard, prior to version 1.2.2, contains a vulnerability that allows an attacker to impersonate an authenticated user by exploiting the X-Admin-Token HTTP request header. When a valid Kratos session cookie is not present, this raw token value is misused as the authenticated userID. An attacker who can guess or acquire the target user's Kratos identity UUID can issue requests on behalf of that user. If the compromised account belongs to an organization admin or owner, the attacker gains full control over the organization's DevGuard resources, posing a significant security risk.

Affected Version(s)

devguard < 1.2.2

References

https://github.com/l3montree-dev/devguard/security/adviso...

x_refsource_CONFIRM

https://github.com/l3montree-dev/devguard/commit/6f38310b...

x_refsource_MISC

CVSS V4

Score:

9.3

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 12, 2026
Vulnerability Reserved
Apr 26, 2026

CVE-2026-42300 Data

JSON