{"uuid": "51a109f5-cea9-4eaa-86b0-85ad38fca504", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "GHSA-g936-7jqj-mwv8", "type": "seen", "source": "https://gist.github.com/alon710/3aab1c4181e03ef1803e74b755304657", "content": "# GHSA-G936-7JQJ-MWV8: GHSA-g936-7jqj-mwv8: Administrative Token Leakage and Privilege Escalation in TSDProxy\n\n&gt; **CVSS Score:** 8.3\n&gt; **Published:** 2026-07-10\n&gt; **Full Report:** https://cvereports.com/reports/GHSA-G936-7JQJ-MWV8\n\n## Summary\nAn authentication bypass and token leakage vulnerability exists in TSDProxy before version 1.4.4. The application unconditionally forwards its internal administrative token to all proxied backend services when identity headers are enabled. Attackers with control over an upstream backend can capture this token and replay it to the local management API to achieve full administrative control over the proxy engine.\n\n## TL;DR\nTSDProxy unconditionally forwards its internal administrative authentication token to all proxied backend services when identity headers are enabled, allowing attackers in control of a backend to harvest the token and compromise the reverse proxy.\n\n## Exploit Status: POC\n\n## Technical Details\n\n- **CWE ID**: CWE-200, CWE-287\n- **Attack Vector**: Network\n- **CVSS v3.1 Score**: 8.3 (High)\n- **Impact**: Privilege Escalation and Complete Proxy Control\n- **Exploit Status**: poc\n- **KEV Status**: Not Listed\n\n## Affected Systems\n\n- TSDProxy\n- **TSDProxy**: &lt; 1.4.4-0.20260603142855-434819b4421e (Fixed in: `1.4.4-0.20260603142855-434819b4421e`)\n\n## Mitigation\n\n- Upgrade TSDProxy to version 1.4.4-0.20260603142855-434819b4421e or newer.\n- Restrict loopback network access from containers to host port 8080.\n- Disable identity headers globally if they are not required by backend services.\n\n**Remediation Steps:**\n1. Pull the latest Docker image of TSDProxy incorporating commit 434819b4421e6b7471eaeb307533f19c52c222d8.\n2. Verify the configuration files and set 'identityHeaders: false' if user identity metadata is unnecessary.\n3. Configure firewalls (iptables/ufw) to isolate container networks from accessing localhost administrative interfaces.\n\n## References\n\n- [GitHub Security Advisory GHSA-g936-7jqj-mwv8](https://github.com/almeidapaulopt/tsdproxy/security/advisories/GHSA-g936-7jqj-mwv8)\n- [TSDProxy Code Repository](https://github.com/almeidapaulopt/tsdproxy)\n- [TSDProxy Security Patch Commit](https://github.com/almeidapaulopt/tsdproxy/commit/434819b4421e6b7471eaeb307533f19c52c222d8)\n\n\n---\n*Generated by [CVEReports](https://cvereports.com/reports/GHSA-G936-7JQJ-MWV8) - Automated Vulnerability Intelligence*", "creation_timestamp": "2026-07-10T22:12:05.027481Z"}