CVE-2026-15557

Source
https://cve.org/CVERecord?id=CVE-2026-15557
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-15557.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-15557
Published
2026-07-13T09:30:09.319Z
Modified
2026-07-16T03:48:17.435344078Z
Severity
  • 5.5 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P CVSS Calculator
Summary
waooAI waoowaoo Internal Task Header api-auth.ts requireProjectAuthLight improper authentication
Details

A weakness has been identified in waooAI waoowaoo up to 0.4.1. Affected by this vulnerability is the function getInternalTaskSession/getAuthSession/requireUserAuth/requireProjectAuth/requireProjectAuthLight in the library src/lib/api-auth.ts of the component Internal Task Header Handler. This manipulation of the argument x-internal-user-id request causes improper authentication. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.

Database specific
{
    "cwe_ids": [
        "CWE-287"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/15xxx/CVE-2026-15557.json",
    "cna_assigner": "VulDB"
}
References

Affected packages

Git / github.com/waooai/waoowaoo

Affected ranges

Type
GIT
Repo
https://github.com/waooai/waoowaoo
Events
Database specific
{
    "extracted_events": [
        {
            "introduced": "0.4.0"
        },
        {
            "last_affected": "0.4.0"
        },
        {
            "introduced": "0.4.1"
        },
        {
            "last_affected": "0.4.1"
        }
    ],
    "source": "AFFECTED_FIELD"
}

Affected versions

0.*
0.4.0
0.4.1
v0.*
v0.4.0
v0.4.1

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-15557.json"