🚨 BREAKING

CVE-2026-42889: Relay Obsidian Server Authentication Bypass Critical

/CRITICAL /CVSS 9.1/10
Written by SCW Vulnerability Desk Vulnerability Intelligence
SCW vulnerabilitycvecriticalhigh-severityauthentication-bypasscwe-639cwe-863
CVE-2026-42889: Relay Obsidian Server Authentication Bypass Critical

The National Vulnerability Database has issued an advisory for CVE-2026-42889, a critical authentication bypass affecting Relay Server versions 0.9.0 through 0.9.6. This vulnerability, scored 9.1 CVSS, resides in the multi-document WebSocket endpoints of the Relay Server, which adds real-time collaboration features to Obsidian.

According to the National Vulnerability Database, when authentication is configured, WebSocket connections made without a token query parameter were mistakenly granted full server permissions. This flaw allows an unauthenticated network attacker, simply by knowing or guessing a document ID, to establish a connection to the document sync WebSocket. From there, they can read or modify document contents without requiring a valid document token.

This is a severe design flaw. The attacker’s calculus is straightforward: minimal effort for maximum impact. Defenders using Relay Server for Obsidian must understand that this isn’t just a data leak; it’s a full compromise of document integrity. The National Vulnerability Database confirms the vulnerability is fixed in version 0.9.7.

What This Means For You

  • If your organization uses Relay Server for Obsidian, you are exposed to unauthenticated data exfiltration and modification. Immediately verify your Relay Server version. If you are running versions 0.9.0 through 0.9.6, you must upgrade to 0.9.7 without delay. Audit logs for any anomalous WebSocket connections or unauthorized document changes, especially if document IDs are guessable or publicly exposed.

Indicators of Compromise

IDTypeIndicator
CVE-2026-42889 Auth Bypass Relay Server versions 0.9.0 through 0.9.6
CVE-2026-42889 Auth Bypass multi-document WebSocket endpoints
CVE-2026-42889 Information Disclosure read document contents without a valid document token
CVE-2026-42889 Code Injection modify document contents without a valid document token

Written by SCW Vulnerability Desk

🔎
Check for recent vulnerability advisories Use /brief to get an analyst-ready weekly threat summary with severity rankings.
Open Intel Bot →
Source & Attribution
Source PlatformNVD
ChannelNational Vulnerability Database
PublishedMay 12, 2026 at 23:16 UTC

This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.

Believe this infringes your rights? Submit a takedown request.

Related coverage

HashiCorp Nomad Code Execution (CVE-2026-7474) via Path Traversal

CVE-2026-7474 — HashiCorp Nomad and Nomad Enterprise prior to 2.0.1 are vulnerable to code execution on the client host through a path traversal attack. This...

vulnerabilityCVEhigh-severitycode-executioncwe-22
/SCW Vulnerability Desk /HIGH /8.8 /⚑ 4 IOCs /⚙ 3 Sigma

CVE-2026-44225: Pulpy Packager Allows Arbitrary File Access

CVE-2026-44225 — Pulpy is a lightweight, cross-platform desktop application packager for web apps. Prior to 0.1.1, Pulpy injects a pulpy.fs JavaScript API into every packaged...

vulnerabilityCVEcriticalhigh-severityarbitrary-file-accesscwe-22cwe-284
/SCW Vulnerability Desk /CRITICAL /9.3 /⚑ 3 IOCs /⚙ 3 Sigma

ArcadeDB Critical Vulnerability Bypasses Authorization Across Databases

CVE-2026-44221 — ArcadeDB is a Multi-Model DBMS. Prior to 2.6.4, authenticated users and API tokens scoped to a specific database could read, write, and mutate...

vulnerabilityCVEcriticalhigh-severitycwe-863
/SCW Vulnerability Desk /CRITICAL /9 /⚑ 5 IOCs /⚙ 3 Sigma