Neotoma: Unauthenticated Inspector/API access via reverse-proxy loopback auth bypass

Severity:: Medium

Description

Neotoma versions starting at v0.6.0 can treat public reverse-proxied requests as local when the app receives them over a loopback socket and no Bearer token is present.

Recommendation

Update the neotoma package to the latest compatible version. Followings are version details:

Affected version(s): >= 0.6.0, < 0.11.1
Patched version(s): 0.11.1

References

GHSA-5cvp-p7p4-mcx9
CVE-2026-45577
CWE-288
CWE-306
CAPEC-310
OWASP 2021-A6
OWASP 2021-A7

Related Issues

LobeHub: Unauthenticated authentication bypass on `webapi` routes via forgeable `X-lobe-chat-auth` header - CVE-2026-39411
paperclip Vulnerable to Unauthenticated Remote Code Execution via Import Authorization Bypass - CVE-2026-41679
StudioCMS S3 Storage Manager Authorization Bypass via Missing `await` on Async Auth Check - CVE-2026-32101
Axios: Incomplete Fix for CVE-2025-62718 — NO_PROXY Protection Bypassed via RFC 1122 Loopback Subnet (127.0.0.0/8) in Ax - CVE-2026-42043

Apache and Express Path Traversal plus Nginx Restriction Bypass Tests with SmartScanner

10 Secure Coding Best Practices to Follow in Every Project

Update Cheat Sheet for Developers

Tags:: npm; neotoma

Anything's wrong? Let us know Last updated on May 18, 2026