CVE-2026-58488

Source
https://cve.org/CVERecord?id=CVE-2026-58488
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-58488.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-58488
Aliases
  • GHSA-2f9f-w8xq-276v
Published
2026-07-13T21:43:14.830Z
Modified
2026-07-16T03:30:58.880439647Z
Severity
  • 6.9 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N CVSS Calculator
Summary
HedgeDoc: Rate-limit bypass via CF-Connecting-IP header spoofing
Details

HedgeDoc is an open source, real-time, collaborative, markdown notes application. Versions prior to 1.11.0 allowed attackers to circumvent the rate-limiting of the /login and /register routes by spoofing IP addresses. HedgeDoc instances checked for CloudFlare's cf-connecting-ip header and used that instead of the users real IP address, if the header was present even when the request did not originate from Cloudflare. This made it possible for an attacker to spam login requests or create multiple arbitrary accounts by sending another cf-connecting-ip header every few requests. The issue has been fixed in version 1.11.0.

Database specific
{
    "cwe_ids": [
        "CWE-290",
        "CWE-770"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/58xxx/CVE-2026-58488.json",
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/hedgedoc/hedgedoc

Affected ranges

Type
GIT
Repo
https://github.com/hedgedoc/hedgedoc
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "1.11.0"
        }
    ],
    "source": "AFFECTED_FIELD"
}

Affected versions

0.*
0.4.0
0.4.1
0.4.2
0.4.3
0.4.4
0.4.5
0.4.6
0.5.0
1.*
1.0.0-ce
1.0.1-ce
1.1.0-ce
1.1.1-ce
1.10.0
1.10.1
1.10.2
1.10.4
1.10.5
1.10.6
1.10.7
1.10.8
1.2.0
1.2.1
1.3.0
1.3.1
1.3.2
1.4.0
1.5.0
1.6.0
1.7.0
1.7.0-rc1
1.7.0-rc2
1.7.1
1.7.2
1.8.0
1.8.0-rc1
1.8.1
1.8.2
1.9.0
1.9.0-rc1
1.9.1
1.9.2
1.9.3
1.9.4
1.9.5
1.9.6
1.9.7
1.9.8
1.9.9
v0.*
v0.3.3
v0.3.4

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-58488.json"