GHSA-g936-7jqj-mwv8Critical· 9.0▾ MidnightTSDProxy: Internal proxy auth token forwarded to backend services enables management API escalation
▾ Midnight zone — Critical, or high with PoC / in-the-wild
impact 49.5 · likelihood 0 · exploitation 0
Need a working PoC? Pro members can cast a request and our team develops one — it lands right here.
A vulnerability was discovered in TSDProxy where it forwards its internal per-process authentication token to all proxied backend services. When identityHeaders is enabled (the default), tsdproxy injects x-tsdproxy-auth-token into every upstream HTTP request alongside user identity headers. This token is the same secret used by the management HTTP server to trust forwarded Tailscale identity claims. A backend that receives this token can replay it from localhost to the management port with an arbitrary x-tsdproxy-id value, bypassing Tailscale authentication entirely.
The token is forwarded unconditionally: ProviderUserMiddleware always calls WhoisNewContext regardless of whether the user is authenticated. In the ReverseProxy.Rewrite function, WhoisFromContext returns ok=true even for zero-value Whois{} (unauthenticated or Funnel requests). The HeaderAuthToken is set for every request when identityHeaders=true.
The attack requires the backend to reach 127.0.0.1:8080. This holds in: (1) non-Docker deployments where tsdproxy and a backend run on the same host, (2) Docker host-network-mode containers, (3) containers sharing tsdproxy's network namespace.
internal/proxymanager/port.go:123-132internal/core/admin.go:160-182// port.go: auth token forwarded regardless of user authentication state
if identityHeaders {
if user, ok := model.WhoisFromContext(r.In.Context()); ok {
// ok=true even for empty Whois{} stored by ProviderUserMiddleware
r.Out.Header.Set(consts.HeaderAuthToken, core.ProxyAuthToken()) // token sent to backend
}
}
// admin.go: management port trusts x-tsdproxy-id from localhost when token is valid
func ResolveWhois(r *http.Request) model.Whois {
if IsLocalhost(r.RemoteAddr) {
return model.Whois{
ID: r.Header.Get(consts.HeaderID), // attacker-controlled after stealing token
}
}
return model.Whois{}
}
http://localhost:3000.x-tsdproxy-auth-token in the request headers.# Capture token from backend headers (e.g., via a header-reflection endpoint)
TOKEN=$(curl -s http://localhost:3000/debug/headers | python3 -c "import sys,json; d=json.load(sys.stdin); print(d['headers'].get('X-Tsdproxy-Auth-Token',''))")
# Replay from localhost to gain admin access
curl -H "x-tsdproxy-auth-token: $TOKEN" \
-H "x-tsdproxy-id: attacker" \
http://127.0.0.1:8080/api/v1/proxies
# Returns full proxy list with admin access
Remove HeaderAuthToken from the outgoing backend request, and guard identity-header injection on user.ID != "":
// port.go: only inject headers for actually authenticated users
if identityHeaders {
if user, ok := model.WhoisFromContext(r.In.Context()); ok && user.ID != "" {
r.Out.Header.Set(consts.HeaderID, user.ID)
// HeaderAuthToken should NOT be forwarded to backends
}
}
An attacker with code execution in any backend proxied by tsdproxy (on the same host) gains full management API control: restart or pause all proxied services (DoS), enumerate all proxy configurations and backend network topology, and trigger webhook deliveries (SSRF via configured webhook URLs).
Reported by Vishal Shukla (@shukla304 / @therawdev).
This audit is from an AI-assisted research agent at sechub.dev. Running it on OSS projects is free for maintainers.
github.com/almeidapaulopt/tsdproxy < 1.4.4-0.20260603142855-434819b4421eUpgrade to a patched release:
github.com/almeidapaulopt/tsdproxy 1.4.4-0.20260603142855-434819b4421eConnected by shared product, vendor, weakness, or advisory.
CVE-2026-54089Critical· 9.1File Browser: Authentication Bypass via Proxy Auth Header Forgery
CVE-2026-50554Medium· 5.3Note Mark: Unauthenticated disclosure of soft-deleted note metadata via deleted=true on public books
CVE-2026-53553High· 7.7Goploy: Arbitrary File Read via Path Traversal in /deploy/fileDiff allows Remote Server Compromise
CVE-2026-47735HighArc has an authenticated arbitrary local-file read via DuckDB I/O functions that bypasses RBAC table-level checks
CVE-2026-49397Medium· 5.3Nezha's private services (`EnableShowInService: false`) are enumerable via per-server endpoints, leaking name and timing data
CVE-2026-47701High· 7.7OpenTelemetry Operator for Kubernetes's ServiceMonitor bearerTokenFile reads arbitrary local file and sends contents as bearer auth