Back to overview

CVE-2026-58488

MEDIUM
6.9
CVSS 4.0
Description
HedgeDoc is an open source, real-time, collaborative, markdown notes application. Versions prior to 1.11.0 allowed attackers to circumvent the rate-limiting of the /login and /register routes by spoofing IP addresses. HedgeDoc instances checked for CloudFlare's cf-connecting-ip header and used that instead of the users real IP address, if the header was present even when the request did not originate from Cloudflare. This made it possible for an attacker to spam login requests or create multiple arbitrary accounts by sending another cf-connecting-ip header every few requests. The issue has been fixed in version 1.11.0.

Metadata

CVE ID
CVE-2026-58488
State
PUBLISHED
Assigner
GitHub_M
Reserved
2026-06-30 20:21 UTC
Published
2026-07-13 21:43 UTC
Last updated
2026-07-13 21:43 UTC
Primary CWE
CWE-290
CWE-290: Authentication Bypass by Spoofing
Vendor / Product
hedgedoc / hedgedoc
Sources
cve.org  ·  NVD

Severity & Metrics

6.9 MEDIUM CVSS 4.0
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
Affected products (1)
VendorProductPlatformVersions
hedgedoc hedgedoc < 1.11.0
Weakness (CWE)
CWESourceDescription
CWE-290 cna CWE-290: Authentication Bypass by Spoofing
CWE-770 cna CWE-770: Allocation of Resources Without Limits or Throttling
CVSS scores (1)
ScoreSeverityVersionSourceVector
6.9 MEDIUM 4.0 cna CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N
References (1)
Back to overview