GHSA-g936-7jqj-mwv8: TSDProxy: Internal proxy auth token forwarded to backend services enables management API escalation
Summary
TSDProxy has a vulnerability where it forwards its internal authentication token (x-tsdproxy-auth-token) to all backend services it proxies, even when users aren't authenticated. An attacker who can run code on a backend service can steal this token and replay it to the management API from localhost, bypassing authentication entirely and gaining full control over all proxied services. This works in deployments where TSDProxy and backends run on the same machine or in shared network containers.
Solution / Mitigation
Remove the HeaderAuthToken from outgoing backend requests and only inject identity headers for authenticated users with a non-empty user ID. The fix shown in the source changes the code to check `user.ID != ""` before setting headers, and explicitly notes that HeaderAuthToken should NOT be forwarded to backends.
Classification
Affected Packages
Original source: https://github.com/advisories/GHSA-g936-7jqj-mwv8
First tracked: July 10, 2026 at 08:01 PM
Classified by LLM (prompt v3) · confidence: 95%