CVE-2026-42889 Overview
CVE-2026-42889 is an authentication bypass vulnerability in Relay Server, a service that adds real-time collaboration to Obsidian. Versions 0.9.0 through 0.9.6 mishandle authentication on multi-document WebSocket endpoints. When authentication is configured, WebSocket connections that omit the token query parameter are treated as having full server permissions. An unauthenticated network attacker who knows or guesses a document ID can connect to the document sync WebSocket and read or modify document contents without a valid document token. The issue is tracked under [CWE-639] and fixed in Relay Server 0.9.7.
Critical Impact
Unauthenticated remote attackers can read and modify collaborative document contents over WebSocket, bypassing per-document authorization entirely.
Affected Products
- Relay Server 0.9.0 through 0.9.6
- Multi-document WebSocket sync endpoints on Relay Server
- Obsidian environments using Relay for real-time collaboration
Discovery Timeline
- 2026-05-12 - CVE-2026-42889 published to NVD
- 2026-05-13 - Last updated in NVD database
Technical Details for CVE-2026-42889
Vulnerability Analysis
The flaw resides in the Relay Server multi-document WebSocket endpoint authentication path. The server expects clients to supply a per-document token via the token query parameter. When authentication is enabled, the absence of this parameter should reject the connection. Instead, the server treats the missing token as a privileged context and grants full server permissions. This allows an unauthenticated client to subscribe to document sync streams and issue write operations against any document whose identifier is known or guessable. The CWE-639 classification reflects authorization tied to a user-controlled key — the document ID — without enforcing a corresponding cryptographic token.
Root Cause
The root cause is missing input validation on the WebSocket handshake. The authentication middleware branches on whether the token parameter is present, but the default branch escalates privileges instead of rejecting the request. Document IDs alone act as the authorization boundary once the token check is skipped, violating the principle of complete mediation.
Attack Vector
An attacker reaches the vulnerable endpoint over the network without credentials or user interaction. The attacker opens a WebSocket connection to the multi-document sync endpoint, omits the token query parameter, and supplies a target document ID. The server accepts the connection with full permissions, exposing the document stream for read and write operations. Document IDs that follow predictable patterns or that leak through other channels increase exploitability. See the GitHub Security Advisory for the maintainer's technical description.
Detection Methods for CVE-2026-42889
Indicators of Compromise
- WebSocket upgrade requests to Relay Server document sync endpoints that lack a token query parameter.
- Unexpected document modifications or content changes in Obsidian vaults backed by Relay Server.
- Connections from unfamiliar IP addresses establishing long-lived WebSocket sessions to multi-document endpoints.
Detection Strategies
- Inspect reverse proxy and application logs for WebSocket Upgrade requests whose query string does not include token=.
- Correlate document edit events with authenticated session identifiers and flag edits that lack an associated token.
- Alert when a single client subscribes to many document IDs in rapid succession, which suggests document ID enumeration.
Monitoring Recommendations
- Enable verbose access logging on the Relay Server and forward logs to a centralized SIEM for retention and search.
- Monitor egress and ingress traffic to the Relay Server port for anomalous WebSocket connection counts.
- Track Relay Server version strings across the fleet to confirm patched deployments.
How to Mitigate CVE-2026-42889
Immediate Actions Required
- Upgrade Relay Server to version 0.9.7 or later on all hosts running affected versions.
- Rotate any document tokens that may have been exposed during the vulnerable window.
- Audit document history for unauthorized modifications since the deployment of versions 0.9.0 through 0.9.6.
Patch Information
The maintainer fixed the issue in Relay Server 0.9.7. The patch enforces token validation on the multi-document WebSocket endpoint and rejects connections missing the token query parameter when authentication is enabled. Details are published in the GitHub Security Advisory GHSA-9vp9-8q9j-8mqm.
Workarounds
- Restrict network exposure of the Relay Server to trusted clients using firewall rules or a VPN until the upgrade is complete.
- Place an authenticating reverse proxy in front of Relay Server to enforce token presence on WebSocket upgrade requests.
- Disable the multi-document WebSocket endpoint if the deployment does not require collaborative editing.
# Example nginx rule to reject WebSocket upgrades missing a token parameter
location /ws/ {
if ($arg_token = "") {
return 401;
}
proxy_pass http://relay_backend;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
