Jul 10, 2026·7 min read·5 visits
TSDProxy unconditionally forwards its internal administrative authentication token to all proxied backend services when identity headers are enabled, allowing attackers in control of a backend to harvest the token and compromise the reverse proxy.
An authentication bypass and token leakage vulnerability exists in TSDProxy before version 1.4.4. The application unconditionally forwards its internal administrative token to all proxied backend services when identity headers are enabled. Attackers with control over an upstream backend can capture this token and replay it to the local management API to achieve full administrative control over the proxy engine.
TSDProxy is an open-source Tailscale reverse proxy designed to automate the process of exposing Docker containers and internal host services directly to a Tailnet. When routing traffic to these upstream backends, TSDProxy can be configured to forward identity details using HTTP request headers, such as user IDs and usernames, allowing backend services to verify user identity seamlessly.
To facilitate internal administrative operations like starting, stopping, or pausing individual proxy definitions, TSDProxy maintains an internal HTTP management API. This management plane is designed to run locally, typically binding to the loopback interface on port 8080. It utilizes an internal per-process authentication token to validate administrative commands originating from the local machine.
The vulnerability arises because TSDProxy leaks this highly sensitive internal administrative token to untrusted third-party upstream backends. Under default configurations where identity headers are enabled, every proxied HTTP request carries the token to the backend server. This flaw creates a vector where any compromised or malicious upstream backend can capture the token and escalate privileges to fully control the TSDProxy instance.
The root cause of this vulnerability lies in the combination of unconditional token injection and improper context checking within the reverse proxy implementation. In the file internal/proxymanager/port.go, the handler loops through incoming requests and appends identity-related headers. If the identityHeaders boolean is enabled, the proxy attempts to extract user identity information from the request context.
The application implements a middleware called ProviderUserMiddleware which is intended to populate the request context using Tailscale's Whois utility. However, for unauthenticated requests, such as public traffic coming through a Tailscale Funnel, the middleware still inserts a zero-value Whois{} struct into the context. Consequently, calling WhoisFromContext returns a success status (ok=true) because a Whois structure exists in the context, even though the fields within that structure are completely empty.
Due to this flaw, the execution block responsible for header injection is entered for all incoming HTTP requests. Within this block, the code sets the x-tsdproxy-auth-token header using the value retrieved from core.ProxyAuthToken(). This action unconditionally appends the secret administrative token to outgoing requests destined for proxied backend applications, irrespective of whether the original requester is an administrator, a standard user, or an unauthenticated anonymous visitor.
In the vulnerable version of internal/proxymanager/port.go, the header injection logic fails to validate the destination of the proxied request or the authenticity of the user. The following code segment illustrates this flaw:
// Vulnerable Code Path
if identityHeaders {
if user, ok := model.WhoisFromContext(r.In.Context()); ok {
// The ok boolean evaluates to true even for anonymous requests
// The internal administrative token is sent to the upstream backend unconditionally
r.Out.Header.Set(consts.HeaderAuthToken, core.ProxyAuthToken())
}
}The official patch applied in commit 434819b4421e6b7471eaeb307533f19c52c222d8 implements stringent checks to remediate the vulnerability. First, it requires the user identifier to be non-empty, preventing anonymous context entries from triggering header injection. Second, it restricts token forwarding strictly to cases where the proxy target is identified as the local management interface:
// Patched Code Path
if identityHeaders {
if user, ok := model.WhoisFromContext(r.In.Context()); ok && user.ID != "" {
r.Out.Header.Set(consts.HeaderID, user.ID)
r.Out.Header.Set(consts.HeaderUsername, user.Username)
// Forward the auth token only to the internal management
// server (self-proxy case). Never expose it to external
// backends — a leaked token allows identity spoofing on
// the management API.
if isManagementTarget(pconfig.GetFirstTarget()) {
r.Out.Header.Set(consts.HeaderAuthToken, core.ProxyAuthToken())
}
}
}Additionally, the patch introduces the helper function isManagementTarget to parse the destination URL and verify if it represents a loopback host on the designated HTTP management port. This stops the administrative token from being exposed to any backend container or external host service, while maintaining the self-proxying functionality required for legitimate management operations.
Exploitation of GHSA-g936-7jqj-mwv8 depends on the attacker's ability to monitor HTTP requests on an upstream backend service proxied by TSDProxy. This condition is easily met if the attacker compromises an existing container, deploys an unauthorized application, or controls a legitimate backend service. Once a single request passes through the proxy, the backend application receives the x-tsdproxy-auth-token header, exposing the administrative credential.
After harvesting the token, the attacker must be capable of reaching the local management port of TSDProxy, which typically binds to 127.0.0.1:8080. This access is possible if the backend container runs with host networking privileges (--network=host), if both services share a network namespace, or if the attacker has local shell access on the host operating system. The attacker can then issue administrative requests to the loopback interface, supplying the stolen token and a spoofed identity.
By transmitting a request to /api/v1/proxies accompanied by the hijacked token, the attacker bypasses all access controls. The management API trusts the caller implicitly due to the matching token and the loopback origin, giving the attacker structural authority over the reverse proxy configuration.
The security impact of this vulnerability is critical, as it allows a complete compromise of the reverse proxy engine's management plane. Armed with the stolen administrative token, an attacker can modify proxy definitions, stop existing proxies, start new services, and alter configuration files. This level of access grants the attacker control over the routing of traffic within the Tailnet environment.
Furthermore, the management API exposes detailed configuration structures that reveal internal network topologies, container identifiers, and backend URLs. An attacker can leverage this information to map out isolated systems, locate other sensitive databases, and plan further lateral movement. Additionally, administrative capabilities such as triggering server-side webhooks present opportunities for server-side request forgery (SSRF) and localized denial of service.
The CVSS v3.1 base score is calculated at 8.3, reflecting high confidentiality, integrity, and availability impacts. While the exploitation requires the attacker to occupy a position within the internal network or a proxied backend, the resulting scope change makes the vulnerability particularly significant because a compromise of a standard container escalates directly to host-level network proxy control.
The primary remediation strategy is upgrading TSDProxy to a version containing the official fix. The vulnerability is resolved in the Go pseudo-version 1.4.4-0.20260603142855-434819b4421e, which implements the patched header sanitization and the target validation checks. Organizations running TSDProxy via Docker should pull the latest image built from the main branch containing the patched proxy manager code.
In environments where immediate software upgrades are not feasible, network-level mitigations must be deployed to disrupt the exploitation path. Security teams should enforce strict network namespace isolation, ensuring that upstream backend containers are placed in isolated bridge networks rather than using host networking mode. This prevents backend applications from accessing the host loopback interface where the management API resides.
Additionally, administrators can mitigate the risk by setting identityHeaders: false in the proxy configuration file. This completely disables the forwarding of Tailscale user attributes to the backends, thereby preventing the execution block from injecting the administrative token. Finally, host firewalls should be configured to drop any traffic attempting to reach port 8080 from non-trusted interfaces or container bridge subnets.
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H| Product | Affected Versions | Fixed Version |
|---|---|---|
TSDProxy almeidapaulopt | < 1.4.4-0.20260603142855-434819b4421e | 1.4.4-0.20260603142855-434819b4421e |
| Attribute | Detail |
|---|---|
| CWE ID | CWE-200, CWE-287 |
| Attack Vector | Network |
| CVSS v3.1 Score | 8.3 (High) |
| Impact | Privilege Escalation and Complete Proxy Control |
| Exploit Status | poc |
| KEV Status | Not Listed |
The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
A critical-severity stored Cross-Site Scripting (XSS) vulnerability exists in SiYuan's Attribute View database asset cell renderer. This flaw allows low-privilege authenticated users to execute arbitrary JavaScript in the application frontend. In Electron-based desktop clients, this execution context can be leveraged to execute arbitrary native operating system commands, resulting in complete system compromise.
Clauster versions up to and including v0.2.1 suffer from an authentication bypass vulnerability. This issue occurs when Clauster is configured with an authentication method but the master auth.enabled key is omitted or set to false, allowing unauthenticated network access to administrative endpoints and arbitrary code execution through managed Claude Code bridges.
A high-severity Stored Cross-Site Scripting (XSS) vulnerability exists in SiYuan prior to version 3.7.0. The vulnerability is located within the server-side Markdown-to-HTML parsing component for the Bazaar marketplace packages. Due to an incomplete event-handler attribute blocklist in the lute parsing engine and a lack of client-side DOM sanitization, malicious package authors can bypass restrictions using modern HTML5 event handlers. When an authenticated administrator views a malicious package, the embedded JavaScript runs in the administrator origin, allowing unauthorized workspace access, local file reading, and remote API execution.
A DNS-rebinding Time-of-Check to Time-of-Use (TOCTOU) vulnerability exists in the mcp-atlassian server before version 0.17.0. The server processes unauthenticated client-supplied URLs via custom headers, validating the destination IP but failing to pin the resolved address before connecting. This allows remote adjacent-network attackers to achieve Server-Side Request Forgery (SSRF) and access restricted resources or cloud metadata services.
A high-severity denial-of-service vulnerability in @libp2p/gossipsub prior to version 16.0.0 allows unauthenticated remote attackers to trigger event loop starvation and complete node freeze by exploiting unbounded protobuf decoding limits and nested synchronous array iteration loops.
CVE-2026-49858 is a vulnerability in API Platform Core's JSON:API and HAL item normalizers where conditionally secured attributes are cached globally in memory. When deployed in long-running PHP execution environments such as FrankenPHP worker mode, Swoole, or RoadRunner, this persistent caching bypasses property-level security constraints, allowing unprivileged users to access sensitive, unauthorized fields cached during privileged requests.