CVE-2023-49091

Name: CVE-2023-49091
Creator: NVD / NIST
Published: 2023-11-29T20:15:08.39+00:00
License: https://creativecommons.org/publicdomain/zero/1.0/

CRITICALCVSS 9.8/10EPSS 0.77%

Last modified Jun 17, 2026

CVE-2023-49091 is a critical-severity vulnerability rated 9.8/10 on the CVSS scale. Cosmos provides users the ability self-host a home server by acting as a secure gateway to your application, as well as a server manager. Cosmos-server is vulnerable due to to the authorization header used for user login remaining valid and not expiring after log out. EPSS estimates a 0.77% chance of exploitation in the next 30 days.

Description

Cosmos provides users the ability self-host a home server by acting as a secure gateway to your application, as well as a server manager. Cosmos-server is vulnerable due to to the authorization header used for user login remaining valid and not expiring after log out. This vulnerability allows an attacker to use the token to gain unauthorized access to the application/system even after the user has logged out. This issue has been patched in version 0.13.1.

Metrics

CVSS 3.1

9.8/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Probability

0.77%

50.9th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

Affected Software

Vendor	Product	Versions
Cosmos-Cloud	Cosmos Server	0.1.15
Cosmos-Cloud	Cosmos Server	0.1.16
Cosmos-Cloud	Cosmos Server	0.1.17
Cosmos-Cloud	Cosmos Server	0.2.0
Cosmos-Cloud	Cosmos Server	0.3.0
Cosmos-Cloud	Cosmos Server	0.3.1
Cosmos-Cloud	Cosmos Server	0.3.2
Cosmos-Cloud	Cosmos Server	0.3.3
Cosmos-Cloud	Cosmos Server	0.3.4
Cosmos-Cloud	Cosmos Server	0.3.5
Cosmos-Cloud	Cosmos Server	0.4.0
Cosmos-Cloud	Cosmos Server	0.4.1
Cosmos-Cloud	Cosmos Server	0.4.2
Cosmos-Cloud	Cosmos Server	0.4.3
Cosmos-Cloud	Cosmos Server	0.5.0
Cosmos-Cloud	Cosmos Server	0.5.1
Cosmos-Cloud	Cosmos Server	0.5.2
Cosmos-Cloud	Cosmos Server	0.5.3
Cosmos-Cloud	Cosmos Server	0.5.4
Cosmos-Cloud	Cosmos Server	0.5.5
Cosmos-Cloud	Cosmos Server	0.5.6
Cosmos-Cloud	Cosmos Server	0.5.7
Cosmos-Cloud	Cosmos Server	0.5.8
Cosmos-Cloud	Cosmos Server	0.5.9
Cosmos-Cloud	Cosmos Server	0.5.12
Cosmos-Cloud	Cosmos Server	0.6.0
Cosmos-Cloud	Cosmos Server	0.6.1
Cosmos-Cloud	Cosmos Server	0.6.2
Cosmos-Cloud	Cosmos Server	0.6.3
Cosmos-Cloud	Cosmos Server	0.6.4
Cosmos-Cloud	Cosmos Server	0.7.0
Cosmos-Cloud	Cosmos Server	0.7.1
Cosmos-Cloud	Cosmos Server	0.7.2
Cosmos-Cloud	Cosmos Server	0.7.3
Cosmos-Cloud	Cosmos Server	0.7.4
Cosmos-Cloud	Cosmos Server	0.7.5
Cosmos-Cloud	Cosmos Server	0.7.6
Cosmos-Cloud	Cosmos Server	0.7.7
Cosmos-Cloud	Cosmos Server	0.7.8
Cosmos-Cloud	Cosmos Server	0.7.9
Cosmos-Cloud	Cosmos Server	0.7.10
Cosmos-Cloud	Cosmos Server	0.8.0
Cosmos-Cloud	Cosmos Server	0.8.1
Cosmos-Cloud	Cosmos Server	0.8.2
Cosmos-Cloud	Cosmos Server	0.8.3
Cosmos-Cloud	Cosmos Server	0.8.4
Cosmos-Cloud	Cosmos Server	0.8.5
Cosmos-Cloud	Cosmos Server	0.8.6
Cosmos-Cloud	Cosmos Server	0.8.7
Cosmos-Cloud	Cosmos Server	0.8.8

Showing 50 of 91 affected configurations. See NVD for the full list.

References

https://github.com/azukaar/Cosmos-Server/commit/7a3fdfb467bd4d1f8333e3e1f3c3f5fca0b69cd7Patch
https://github.com/azukaar/Cosmos-Server/security/advisories/GHSA-hpvm-x7m8-3c6xExploit, Vendor Advisory
https://github.com/azukaar/Cosmos-Server/security/advisories/GHSA-hpvm-x7m8-3c6xExploit, Vendor Advisory

Timeline

Published: Nov 29, 2023
Last Modified: Jun 17, 2026
Status: Analyzed

Frequently Asked Questions

What is CVE-2023-49091?

How severe is CVE-2023-49091?

CVE-2023-49091 has a CVSS score of 9.8/10 (CRITICAL severity). The EPSS model estimates a 0.77% probability of exploitation in the next 30 days.

How do I fix CVE-2023-49091?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.

Are you affected by CVE-2023-49091?

Run a free Strix scan to check your systems for this vulnerability.

Scan your code now

Source: NVD / NIST