Listen to this Post
Neotoma versions starting from v0.6.0 contain a critical authentication bypass vulnerability that arises from improper handling of reverse-proxied requests. When a public deployment is placed behind a reverse proxy or a same-host tunnel that forwards traffic to the Neotoma Node process over the loopback interface (127.0.0.1), the REST auth middleware can incorrectly treat these public, unauthenticated requests as if they originated locally. This occurs specifically when no Bearer token is present in the request. The middleware, relying on the loopback socket address as a signal of trust, resolves the request context to the local development user without any credential validation. As a result, an external attacker can access the hosted Inspector and the associated API surface without any authentication. The impact is severe: unauthorized access to all production data exposed through these interfaces on affected deployments. The root cause is a flawed assumption that any request arriving on a loopback socket must be from a trusted local process. The remediation, already implemented on the main branch, changes the local-request detection to “fail closed” in production environments. Loopback trust is no longer automatic; it must be explicitly enabled by an administrator. Even then, forwarded public clients are correctly identified as remote. The official patched release is pending, but organizations using Neotoma in the described configuration should treat all v0.6.0+ versions as vulnerable until a fixed release is available.
Platform: Neotoma
Version: v0.6.0+
Vulnerability: Auth bypass
Severity: Critical
Date: 2026-05-18
Prediction: Within 2 weeks
Analytics
What Undercode Say:
Check for vulnerable loopback trust configuration grep -r "loopback" /etc/neotoma/config.yml Monitor for suspicious unauthenticated access to /api/inspector journalctl -u neotoma | grep "Unauthenticated request on loopback" Simulate attack from external machine (replace TARGET_IP with public IP) curl -v http://TARGET_IP:3000/api/inspector -H "X-Forwarded-For: 8.8.8.8" Test if vulnerability is patched by attempting to access without token curl -v http://TARGET_IP:3000/api/inspector --header "Host: internal.host"
Exploit
Send HTTP requests to the public endpoint without a Bearer token. The middleware resolves the request as local developer, granting full Inspector and API access.
Protection
Upgrade to patched version (when available). Disable loopback trust in production. Implement strict reverse proxy validation (e.g., require `X-Forwarded-Proto` and validate X-Forwarded-For). Use explicit authentication tokens.
Impact
Unauthenticated remote attackers can fully access Neotoma’s Inspector and API, leading to complete exposure of all production data managed by the application.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

