What happened
CVE-2026-58169 (CVSS 7.5 High) affects Vibe-Trading before 0.1.10. The server binds to 0.0.0.0 and trusts TCP peer addresses for loopback clients without validating the HTTP Host header. A remote attacker can exploit DNS rebinding to make a victim's browser send requests that the server treats as localhost-originated, bypassing bearer-token authentication. Published 2026-06-30.
Why it matters
In an agentic trading platform, authentication bypass could allow remote unauthenticated attackers to submit trading mandates or access financial broker API sessions, directly enabling financial loss or account hijacking.
Attack vector
DNS rebinding attack: attacker registers a domain that first resolves to an attacker IP, then rebinds to 127.0.0.1. Victim's browser makes cross-origin requests that the server accepts as loopback-origin, bypassing authentication.
Affected systems
HKUDS/Vibe-Trading < 0.1.10
Mitigation
Upgrade to Vibe-Trading 0.1.10 or later. PR: https://github.com/HKUDS/Vibe-Trading/pull/241