CVE Catalog

CVE-2026-58169

HighCVSS 7.5
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.29%

20th percentile — higher than 20% of all known CVEs

Summary

A DNS rebinding vulnerability in Vibe-Trading before 0.1.10 allows bypassing bearer-token authentication. The attacker exploits the server's trust of TCP peer addresses for loopback clients and missing Host header validation while binding to 0.0.0.0 with credentialed CORS. This leads to remote code execution and credential exfiltration.

Risk Assessment

The risk includes remote takeover of the API server, arbitrary code execution as the API process user, and leakage of sensitive credentials such as LLM and data-source settings.

Recommendation

Immediately upgrade Vibe-Trading to version 0.1.10 or later. Additionally, implement Host header validation and bind to localhost instead of 0.0.0.0.

Original NVD description (English source)

Vibe-Trading before 0.1.10 contains a DNS rebinding authentication bypass vulnerability that allows remote attackers to bypass bearer-token authentication by exploiting the server's trust of TCP peer addresses for loopback clients combined with missing Host header validation while binding to 0.0.0.0 with credentialed CORS. Attackers can craft a malicious DNS rebinding page to issue authenticated requests to the local API server, reach the shell execution endpoint with a bash-enabled preset, and achieve remote code execution as the API process user while also overwriting LLM and data-source settings to exfiltrate credentials.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS