Local API Server Vulnerability in Vibe-Trading by HKUDS
CVE-2026-58169

7.7HIGH

Key Information:

Vendor: Hkuds
Status: Vibe-trading
Vendor: CVE Published:; 30 June 2026

What is CVE-2026-58169?

The local API server in Vibe-Trading versions before 0.1.10 is susceptible to a vulnerability where it incorrectly trusts TCP peer addresses for loopback clients, bypassing critical API_AUTH_KEY checks. This flaw is compounded by the absence of Host header validation, allowing unauthenticated access. An attacker can exploit this by leveraging a DNS-rebinding attack to issue authenticated requests, potentially enabling remote code execution and unauthorized manipulation of sensitive API functions, including the execution of shell commands which can endanger system integrity and expose confidential information.

Affected Version(s)

Vibe-Trading 0 < 0.1.10

References

https://github.com/HKUDS/Vibe-Trading/releases/tag/v0.1.10

release-notes

https://github.com/HKUDS/Vibe-Trading/pull/243

patch

https://github.com/HKUDS/Vibe-Trading/pull/242

patch

CVSS V4

Score:

7.7

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

High

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 30, 2026
Vulnerability Reserved
Jun 29, 2026

Credit

Chia Min Jun Lennon

CVE-2026-58169 Data

JSON

Hkuds

What is CVE-2026-58169?

Affected Version(s)

References

CVSS V4

Timeline

Credit