Authentication Bypass Vulnerability in Nacos 1.4.1 (User‑Agent and Server Identity)

The article analyzes a bypass flaw in Nacos 1.4.1 where the serverIdentity key‑value authentication can be evaded by crafting URLs with a trailing slash, allowing attackers to list, create, and log in as users despite the intended security checks.

Authentication BypassExploitNacos

0 likes · 8 min read

Authentication Bypass Vulnerability in Nacos 1.4.1 (User‑Agent and Server Identity)

Programmer DD

Jan 16, 2021 · Information Security

Bypassing Nacos 1.4.1 User-Agent Authentication to Add Arbitrary Users

The article explains how Nacos 1.4.1's serverIdentity key‑value authentication can be bypassed by manipulating the request path, allowing attackers to call any HTTP interface, add new users, and gain full console access, and provides reproduction steps and a fix recommendation.

Authentication BypassCVENacos

0 likes · 10 min read

Bypassing Nacos 1.4.1 User-Agent Authentication to Add Arbitrary Users