Auth bypass in Markmhendrickson Neotoma
CVE-2026-45577
Neotoma provides versioned records that persist across agent runs. From 0.6.0 to before 0.11.1, Neotoma can treat public reverse-proxied requests as local when the app receives them over a loopback socket and no Bearer token is present. In…
EPSS: 0.001 (17.1th percentile) — read the EPSS interpretation.
Affected products
- Markmhendrickson Neotoma — versions >= 0.6.0, < 0.11.1
Weakness classification (CWE)
References
- security-advisories@github.com (x_refsource_CONFIRM)
- security-advisories@github.com (x_refsource_MISC)