CVE-2026-4171: serverless-express Auth Bypass Vulnerability

CVE-2026-4171 Overview

A security vulnerability has been detected in CodeGenieApp serverless-express up to version 4.17.1. This authorization bypass vulnerability affects the TodoList.ts file within the API Endpoint component located at examples/lambda-function-url/packages/api/models/. The manipulation of the userId argument enables attackers to bypass authorization controls, potentially allowing unauthorized access to resources belonging to other users.

Critical Impact

Remote attackers can exploit this authorization bypass vulnerability to access or manipulate data belonging to other users by manipulating the userId parameter in API requests.

Affected Products

• CodeGenieApp serverless-express versions up to 4.17.1
• Applications using the vulnerable TodoList.ts API endpoint model
• Lambda function URL deployments using the affected example code

Discovery Timeline

• March 16, 2026 - CVE-2026-4171 published to NVD
• March 16, 2026 - Last updated in NVD database

Technical Details for CVE-2026-4171

Vulnerability Analysis

This vulnerability is classified as CWE-285 (Improper Authorization), a flaw that occurs when an application fails to properly verify that a user is authorized to access a particular resource or perform a specific action. In the context of CodeGenieApp serverless-express, the vulnerability resides in the TodoList.ts model file where the userId parameter can be manipulated to bypass authorization checks.

The exploit has been publicly disclosed and the vendor was contacted regarding this vulnerability but did not respond. The network-based attack vector means exploitation can occur remotely without requiring physical access to the target system. An attacker with low privileges can exploit this vulnerability to gain unauthorized access to confidential data, modify information, or disrupt availability of resources belonging to other users.

Root Cause

The root cause of this vulnerability stems from improper authorization validation in the API endpoint handling. The TodoList.ts model file fails to adequately verify that the requesting user has legitimate access to the resources associated with the provided userId parameter. This allows an authenticated attacker to supply a different user's ID and access their data without proper authorization checks being enforced.

Attack Vector

The vulnerability can be exploited remotely over the network. An attacker who has obtained basic authentication to the application can manipulate the userId argument in API requests to the affected endpoint. By substituting their own user identifier with that of another user, they can bypass the intended authorization controls and access resources (such as todo lists) belonging to the targeted user.

The attack flow involves intercepting or crafting API requests to the vulnerable endpoint and modifying the userId parameter to reference a different user's account. Since the application does not properly validate that the authenticated user matches the requested userId, the malicious request is processed and returns or modifies the targeted user's data.

For technical details regarding this vulnerability, refer to the GitHub Issue Discussion and the VulDB CTI Entry #351078.

Detection Methods for CVE-2026-4171

Indicators of Compromise

• API requests where the authenticated user's identity does not match the userId parameter being queried
• Unusual patterns of access to multiple user accounts from a single session or IP address
• Log entries showing successful data retrieval for user IDs that differ from the authenticated session

Detection Strategies

• Implement application-level logging that captures both the authenticated user identity and the requested userId parameter for audit purposes
• Deploy API gateway rules to flag requests where authentication tokens do not correspond to the target user ID in the request
• Configure intrusion detection systems to alert on patterns consistent with Insecure Direct Object Reference (IDOR) attacks

Monitoring Recommendations

• Monitor API access logs for anomalous patterns where single users access data across multiple accounts
• Establish baseline metrics for normal user behavior and alert on deviations that suggest account enumeration or unauthorized access attempts
• Review CloudWatch or equivalent serverless monitoring for Lambda function invocations with suspicious parameter combinations

How to Mitigate CVE-2026-4171

Immediate Actions Required

• Review all API endpoints in your serverless-express implementation for proper authorization validation
• Implement server-side checks that verify the authenticated user's identity matches the requested userId before processing requests
• Audit application logs for evidence of exploitation attempts or unauthorized data access

Patch Information

As of the last update, no official patch has been released by the vendor. The vendor was contacted regarding this disclosure but did not respond. Organizations using the affected example code should implement their own authorization controls or consider alternative implementations. Monitor the VulDB entry for updates on patch availability.

Workarounds

• Implement middleware that validates the authenticated user's session ID matches the userId parameter in all API requests
• Add row-level security controls at the database layer to ensure users can only access their own records regardless of API-level vulnerabilities
• Consider removing or restricting access to the vulnerable example endpoint until proper authorization controls are implemented

# Example authorization middleware implementation concept
# Add to your serverless-express API before processing requests
# Ensure authenticated userId matches requested resource userId
# Reject requests with HTTP 403 Forbidden when mismatch detected