CVE-2026-42889

Critical

Published: 12 May 2026

Published

12 May 2026

Modified

12 May 2026

KEV Added

—

Patch

—

CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

EPSS Score N/A

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-42889 is a critical-severity Authorization Bypass Through User-Controlled Key (CWE-639) vulnerability. Its CVSS base score is 9.1 (Critical).

Operationally, it is not currently listed in the CISA KEV catalog.

Threat & Defense Details

Likely Mitigating ControlsAI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

AC-24 Access Control Decisions

addresses: CWE-863 CWE-639

Applying decisions to each request prior to enforcement mitigates incorrect authorization by enforcing consistent policy evaluation.

AC-3 Access Enforcement

addresses: CWE-863 CWE-639

Mandating policy-based enforcement reduces the chance of incorrect authorization logic being used.

AC-1 Policy and Procedures

addresses: CWE-863

Periodic review and update of procedures reduces incorrect authorization implementations over time.

AC-13 Supervision and Review — Access Control

addresses: CWE-863

Supervision identifies cases where authorization logic incorrectly permits unauthorized actions.

AC-16 Security and Privacy Attributes

addresses: CWE-863

Defining permitted attribute values and auditing modifications reduces the chance of incorrect authorization outcomes due to tampered or missing labels.

AC-17 Remote Access

addresses: CWE-863

The authorization process and usage restrictions help prevent incorrect authorization for remote access types.

AC-18 Wireless Access

addresses: CWE-863

Establishing configuration and connection requirements helps ensure correct rather than incorrect authorization for wireless access.

AC-19 Access Control for Mobile Devices

addresses: CWE-863

Establishing connection authorization processes for mobile devices helps ensure authorization decisions are correctly implemented rather than incorrect.

NVD Description

Relay adds real-time collaboration to Obsidian. Relay Server versions 0.9.0 through 0.9.6 contain an authentication bypass in the multi-document WebSocket endpoints. When authentication is configured, WebSocket connections without a token query parameter were incorrectly treated as having full server permissions.…

An unauthenticated network attacker who knows or guesses a document ID could connect to the document sync WebSocket and read or modify document contents without a valid document token. This vulnerability is fixed in 0.9.7.

Deeper analysisAI

Automated synthesis unavailable for this CVE.

Details

CWE(s): CWE-639 CWE-863

Affected Products

—

Obsidian. Relay Server

inferred from references and description; NVD did not file a CPE for this CVE

References

https://github.com/No-Instructions/relay-server/security/advisories/GHSA-9vp9-8q9j-8mqm
security-advisories@github.com