Home / Vulnerability Intelligence / CVE-2026-33768

CVE-2026-33768 - Vulnerability Analysis

MediumCVSS: 6.5

Last Updated: March 26, 2026

Astro - Authentication Bypass

Published: March 24, 2026Updated: March 26, 2026PoC AvailableRemote Exploitable

Overview

Astro < 10.0.2 @astrojs/vercel serverless entrypoint contains an authentication bypass caused by unvalidated x-astro-path header and x_astro_path query parameter allowing path rewriting, letting attackers bypass platform path restrictions, exploit requires no authentication.

Severity & Score

Severity: Medium

CVSS Score: 6.5

Impact

Attackers can bypass platform path restrictions to access or modify protected endpoints, potentially leading to unauthorized actions.

Mitigation

Update to version 10.0.2 or later.

References

https://github.com/withastro/astro/releases/tag/%40astrojs%2Fvercel%4010.0.2
https://github.com/withastro/astro/security/advisories/GHSA-mr6q-rp88-fx84
https://github.com/withastro/astro/commit/335a204161f5a7293c128db570901d4f8639c6ed
https://github.com/withastro/astro/pull/15959

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-33768
Severity: Medium
CVSS Score: 6.5
Type: broken_access_control
Status: confirmed

CWE

CWE-441

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N