GHSA-g936-7jqj-mwv8: Administrative Token Leakage and Privilege Escalation in TSDProxy
Vulnerability ID: GHSA-G936-7JQJ-MWV8
CVSS Score: 8.3
Published: 2026-07-10
An authentication bypass and token leakage vulnerability exists in TSDProxy before version 1.4.4. The application unconditionally forwards its internal administrative token to all proxied backend services when identity headers are enabled. Attackers with control over an upstream backend can capture this token and replay it to the local management API to achieve full administrative control over the proxy engine.
TL;DR
TSDProxy unconditionally forwards its internal administrative authentication token to all proxied backend services when identity headers are enabled, allowing attackers in control of a backend to harvest the token and compromise the reverse proxy.
⚠️ Exploit Status: POC
Technical Details
- CWE ID: CWE-200, CWE-287
- Attack Vector: Network
- CVSS v3.1 Score: 8.3 (High)
- Impact: Privilege Escalation and Complete Proxy Control
- Exploit Status: poc
- KEV Status: Not Listed
Affected Systems
- TSDProxy
-
TSDProxy: < 1.4.4-0.20260603142855-434819b4421e (Fixed in:
1.4.4-0.20260603142855-434819b4421e)
Exploit Details
- GitHub Security Advisory: Advisory text outlining the manual steps to harvest and replay the x-tsdproxy-auth-token.
Mitigation Strategies
- Upgrade TSDProxy to version 1.4.4-0.20260603142855-434819b4421e or newer.
- Restrict loopback network access from containers to host port 8080.
- Disable identity headers globally if they are not required by backend services.
Remediation Steps:
- Pull the latest Docker image of TSDProxy incorporating commit 434819b4421e6b7471eaeb307533f19c52c222d8.
- Verify the configuration files and set 'identityHeaders: false' if user identity metadata is unnecessary.
- Configure firewalls (iptables/ufw) to isolate container networks from accessing localhost administrative interfaces.
References
- GitHub Security Advisory GHSA-g936-7jqj-mwv8
- TSDProxy Code Repository
- TSDProxy Security Patch Commit
Read the full report for GHSA-G936-7JQJ-MWV8 on our website for more details including interactive diagrams and full exploit analysis.
Top comments (0)