Authentication Bypass in Relay Server by No Instructions
CVE-2026-42889

9.1CRITICAL

Key Information:

Vendor: No-instructions
Status: Relay-server
Vendor: CVE Published:; 12 May 2026

🔔 Create No-instructions Vulnerability Alert

What is CVE-2026-42889?

Relay Server versions 0.9.0 through 0.9.6 are susceptible to an authentication bypass in their multi-document WebSocket endpoints. When configured for authentication, the server incorrectly grants full permissions to WebSocket connections that lack a token query parameter, allowing potential unauthorized users to access and modify document contents if they know a document ID. This serious oversight exposes sensitive data and can compromise document integrity, underscoring the importance of updating to version 0.9.7, which addresses this vulnerability.

Affected Version(s)

relay-server >= 0.9.0, < 0.9.7

References

https://github.com/No-Instructions/relay-server/security/...

x_refsource_CONFIRM

CVSS V3.1

Score:

9.1

Severity:

CRITICAL

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 12, 2026
Vulnerability Reserved
Apr 30, 2026

CVE-2026-42889 Data

JSON