Vulnerability  ·  2026-07-01

Vibe-Trading — DNS Rebinding Authentication Bypass Allows Remote Bearer-Token Bypass (CVE-2026-58169)

VulnerabilityHigh impactGlobalCVE-2026-58169
CVE-2026-58169 (CVSS 7.5 High) affects Vibe-Trading before 0.1.10. The server binds to 0.0.0.0 and trusts TCP peer addresses for loopback clients without validating the HTTP Host header. A remote attacker can exploit DNS rebinding to make a victim's browser send requests that the server treats as localhost-originated, bypassing bearer-token authentication. Published 2026-06-30.
In an agentic trading platform, authentication bypass could allow remote unauthenticated attackers to submit trading mandates or access financial broker API sessions, directly enabling financial loss or account hijacking.
DNS rebinding attack: attacker registers a domain that first resolves to an attacker IP, then rebinds to 127.0.0.1. Victim's browser makes cross-origin requests that the server accepts as loopback-origin, bypassing authentication.
HKUDS/Vibe-Trading < 0.1.10
Upgrade to Vibe-Trading 0.1.10 or later. PR: https://github.com/HKUDS/Vibe-Trading/pull/241
Sources
NVD CVE-2026-58169GitHub PR fix
See this in the live feed Explore related AI security and governance findings — updated every morning.
Open the feed →