Incident #009 · opened 2026-05-28 · 17:06 UTC
[SECURITY] Unauthenticated Socket.IO JSON-RPC bypass exposes protected local core methods
new
close: support-only
Description
Security researcher 𝗌𝗈𝗇𝖽𝗍 submitted a responsible disclosure via GitHub Security Advisory on 16/05/2026.
Vulnerability (confirmed P0)
Socket.IO endpoint at /socket.io/ accepts unauthenticated connections. The rpc:request event routes to the same dispatcher as the protected /rpc HTTP endpoint with no bearer token or Origin header check. This means any unauthenticated caller can invoke protected local core methods via Socket.IO, bypassing the authentication layer entirely. All code references in the report were verified against main by the team on 19/05/2026.
Advisory & PoC
GitHub Security Advisory: GHSA-h4g4-x264-prgx (draft — admin-only visibility)
Full report + PoC shared via message.txt (7 KB) in Discord on 19/05/2026.
Status
Fix confirmed going in as of 19/05/2026. As of 25/05/2026, fix forwarded to devs for upcoming build — not yet deployed. Researcher has requested: (1) update posted to the GitHub advisory once fix is live, and (2) CVE assignment if appropriate given severity.
Attachments
screenshots · logs · files · 1 item
Notify the user
copy a Discord-ready message, then mark as notified
Interventions
refunds · credits · manual fixes
No interventions logged.
Activity
2 events
Pooja
attached message.txt
May 28 · 17:06
Pooja
created the incident priority=urgent
May 28 · 17:06
Controls
Details
reporter
@_sondt_
email
—
ticket
open ↗
priority
URGENT
opened
2026-05-28 · 17:06
touched
2026-05-28 · 17:06
GitHub
issue
not pushed
pr
none
Tags