CVE-2026-45577

Neotoma: Unauthenticated Inspector/API access via reverse-proxy loopback auth bypass

CVSS 6.9 MEDIUMEPSS 0.2%CWE-288 CWE-306

Vexday Risk Score

13Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 6.9EPSS 0.2%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

29 May 2026Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

Neotoma provides versioned records that persist across agent runs. From 0.6.0 to before 0.11.1, Neotoma can treat public reverse-proxied requests as local when the app receives them over a loopback socket and no Bearer token is present. In affected deployments, the REST auth middleware can resolve unauthenticated requests as the local development user, making the hosted Inspector and related API surface reachable without credentials. This vulnerability is fixed in 0.11.1.

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Affected products

markmhendrickson · neotoma

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://github.com/markmhendrickson/neotoma/releases/tag/v0.11.1 https://github.com/markmhendrickson/neotoma/security/advisories/GHSA-5cvp-p7p4-mcx9