Authentication Bypass in Mobile API of code100x Platform
CVE-2026-8890

8.8HIGH

Key Information:

Vendor: Code100x
Status: Code100x
Vendor: CVE Published:; 26 May 2026

What is CVE-2026-8890?

The code100x Mobile API is vulnerable to authentication bypass, allowing attackers to impersonate any user by sending a specially formatted JSON payload in the 'g' HTTP header. When an Auth-Key header is included, the system fails to validate its value, which allows the injection of a spoofed user identity header. As a result, unauthorized users can gain access to sensitive course data of any student or administrator enrolled in the system, creating significant security risks.

Affected Version(s)

code100x 0 < 90b489ee7c63c301107d6374d4b3f2b8e4060fe5

code100x 0 < 88c6c5e94e23da101235c4c7e9c7591ac1016549

References

https://github.com/code100x/cms/issues/1924

technical-description

https://github.com/code100x/cms/pull/1927

https://github.com/code100x/cms/pull/1927/changes/90b489e...

CVSS V4

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 26, 2026
Vulnerability Reserved
May 18, 2026

Credit

Shravan Manne

VulnCheck

CVE-2026-8890 Data

JSON

Code100x

What is CVE-2026-8890?

Affected Version(s)

References

CVSS V4

Timeline

Credit