Neotoma: Unauthenticated Inspector/API access via reverse-proxy loopback auth bypass
- Severity:
- Medium
Description
Neotoma versions starting at v0.6.0 can treat public reverse-proxied requests as local when the app receives them over a loopback socket and no Bearer token is present.
Recommendation
Update the neotoma package to the latest compatible version. Followings are version details:
- Affected version(s): >= 0.6.0, < 0.11.1
- Patched version(s): 0.11.1
References
Related Issues
- LobeHub: Unauthenticated authentication bypass on `webapi` routes via forgeable `X-lobe-chat-auth` header - CVE-2026-39411
- Strapi Upload Plugin MIME Validation Bypass via Content API - CVE-2026-22707
- @delmaredigital/payload-puc is missing authorization on /api/puck/* CRUD endpoints allows unauthenticated access to Puck - CVE-2026-39397
- ApostropheCMS: publicApiProjection Bypass via project Query Builder in Piece-Type REST API - CVE-2026-33888
You might also like:
- Tags:
- npm
- neotoma
Anything's wrong? Let us know Last updated on May 18, 2026