Axios CVSS 10.0 Flaw Leaks Cloud Metadata via Headers

◆ DEEP DIVES

1. 01

   Two CVSS 10.0s, Eight Auth Bypasses, and Your Security Tools' Own Vulnerabilities — This Week's Triage Queue Is the Worst of 2026

   <h3>The Pattern No One's Naming</h3><p>Count the authentication bypass and credential vulnerabilities disclosed this week: <strong>Quest KACE SMA, Cisco Webex SSO, Apache Kafka JWT, OAuth2 Proxy, FastGPT NoSQL injection, Sonatype Nexus hard-coded credentials, Spring Security Authorization Server, and Cisco ISE</strong>. Eight products, all failing at the most fundamental security control. This is not coincidence — it's an industry-wide pattern.</p><p>Two of these carry the maximum possible severity: <strong>Quest KACE SMA (CVE-2025-32975, CVSS 10.0)</strong> enables complete admin takeover with zero authentication and has been on CISA KEV since April 20. <strong>Axios (CVE-2026-40175, CVSS 10.0)</strong> allows header injection that exfiltrates cloud metadata — and as the most popular JavaScript HTTP client, it's almost certainly a transitive dependency in your projects.</p><blockquote>When your artifact repository has hard-coded credentials, your Kafka cluster accepts forged JWTs, and your SIEM has unauthenticated file read — the attackers don't need zero-days; they need patience and a vulnerability scanner.</blockquote><h3>The Security Tool Problem</h3><p>This week's most disturbing sub-pattern: <strong>your defensive infrastructure is the vulnerability</strong>. CrowdStrike LogScale (CVE-2026-40050, CVSS 9.8) has unauthenticated path traversal allowing anyone to read files from your SIEM. Sonatype Nexus Repository Manager (CVE-2026-5189) has hard-coded credentials across versions 3.0.0 through 3.70.5 — a supply chain security tool with a supply chain vulnerability. Fortinet FortiSandbox has dual CVSS 9.8 vulnerabilities enabling OS command injection and privilege escalation in your sandbox. Trojanized Checkmarx KICS Docker images were exfiltrating every secret in your IaC configs.</p><h3>The Numbers That Should Drive Your Prioritization</h3><table><thead><tr><th>CVE</th><th>Product</th><th>CVSS</th><th>Status</th><th>Action</th></tr></thead><tbody><tr><td>CVE-2025-32975</td><td>Quest KACE SMA</td><td>10.0</td><td><strong>CISA KEV</strong></td><td>Patch or isolate NOW</td></tr><tr><td>CVE-2026-40175</td><td>Axios</td><td>10.0</td><td>Disclosed</td><td>npm ls axios everywhere</td></tr><tr><td>CVE-2026-33557</td><td>Apache Kafka</td><td>9.1</td><td>Disclosed</td><td>Verify JWT validation</td></tr><tr><td>CVE-2026-20180/86/47</td><td>Cisco ISE</td><td>3× 9.9</td><td>Patches available</td><td>Patch NAC backbone</td></tr><tr><td>CVE-2026-20184</td><td>Cisco Webex</td><td>9.8</td><td>Patches available</td><td>SSO bypass — patch</td></tr><tr><td>CVE-2026-22752</td><td>Spring Auth Server</td><td>High</td><td>Patches today</td><td>1.3.11, 1.4.10, or 1.5.7</td></tr><tr><td>CVE-2026-40050</td><td>CrowdStrike LogScale</td><td>9.8</td><td>Self-hosted patch</td><td>Verify with CrowdStrike</td></tr><tr><td>CVE-2026-5450</td><td>glibc</td><td>9.8</td><td>16 years affected</td><td>Plan upgrade path</td></tr></tbody></table><h3>The ASP.NET Core Wrinkle</h3><p>Microsoft's out-of-band ASP.NET Core patch is particularly treacherous: <strong>patching the runtime is explicitly insufficient</strong>. Applications that embed the vulnerable library must be fully rebuilt, and all tokens and cookies generated pre-patch must be expired. Your patch management dashboard will show green while applications remain vulnerable. <em>This is a rebuild-and-rotate scenario, not a patch-and-forget scenario.</em></p><hr><h3>Cross-Source Insight</h3><p>Multiple sources converge on the same structural problem: only <strong>5-7% of CVEs are exploited in the wild</strong>, but the average remediation gap is 55 days while adversaries exploit in under 1 week. At 110+ new CVEs per day, CVSS-only triage is mathematically unsolvable. Sources agree: <strong>EPSS integration is no longer optional</strong> — it's the only way to focus on the vulns that matter at this volume.</p>

   Action items

   • Run `npm ls axios` and `yarn why axios` across all JavaScript/TypeScript projects; upgrade to patched version. Enforce IMDSv2 on all cloud instances.
   • Patch Quest KACE SMA to 13.0.385+, 13.1.81+, 13.2.183+, 14.0.341+, or 14.1.101+. Isolate from internet if patching is delayed.
   • Verify Apache Kafka JWT authentication is actually validating tokens. Apply network ACLs immediately if using JWT auth.
   • Patch Cisco ISE/ISE-PIC (3× CVSS 9.9) and Webex SSO bypass (9.8). Patch CrowdStrike LogScale if self-hosted.
   • Patch Spring Authorization Server to 1.3.11, 1.4.10, or 1.5.7. Disable Dynamic Client Registration as stop-gap.
   • Initiate rebuilds for all applications embedding vulnerable ASP.NET Core library. Expire all affected tokens and cookies.
   • Integrate EPSS v3 scores into vulnerability management workflow alongside CVSS within 2 weeks.

   Sources:Two CVSS 10.0s on KEV, Axios supply chain bomb, and your Kafka cluster accepts any JWT · Your Windows Defender is the weapon: unpatched zero-day gives SYSTEM on fully patched endpoints right now · Your ASP.NET Core apps need rebuilds, not patches · 1,300 SharePoint servers still exposed, MOVEit WAF bypassed

2. 02

   Checkmarx KICS, Axios, and npm Packages — Supply Chain Poisoning Is Targeting Your DevSecOps Pipeline Directly

   <h3>The Security Scanner Was the Exfiltration Channel</h3><p>Attackers overwrote official tags in the <strong>Checkmarx KICS Docker Hub repository</strong> — including v2.1.20, alpine, and a fabricated v2.1.21 — injecting a trojanized binary that generates uncensored IaC scan reports, <strong>encrypts and exfiltrates every secret</strong> found in your Terraform, CloudFormation, and Kubernetes configs. The tool designed to find your secrets was weaponized to steal them. Organizations using KICS in CI/CD pipelines may have been exfiltrating cloud credentials with every scan run.</p><p>This follows the Trivy compromise and Axios vulnerability in rapid succession, confirming that <strong>the DevSecOps toolchain itself is now a primary target</strong>. Exploit-to-weaponization timelines are shrinking to hours.</p><h3>The Self-Propagating npm Threat</h3><p>Two malicious npm packages — <strong>'pgserve' and 'automagik'</strong> — were designed to infect every downstream package built using them, creating a worm-like propagation chain through your build pipeline. They steal data, credentials, and secrets, with researchers describing potential for <em>"complete organizational takeover."</em> If either package entered your dependency tree, every build artifact since introduction is compromised.</p><h3>Sonatype Nexus: Your Artifact Repository Has Hard-Coded Credentials</h3><p>CVE-2026-5189 affects Sonatype Nexus Repository Manager versions 3.0.0 through 3.70.5 with <strong>hard-coded credentials enabling unauthenticated OS command execution</strong>. Your artifact repository is the supply chain control point — it's where you store the packages your CI/CD pipeline trusts implicitly. A compromised Nexus is a compromised build pipeline.</p><blockquote>When your IaC scanner exfiltrates secrets, your npm packages self-propagate malware, and your artifact repository has default credentials — the supply chain isn't broken; it's been weaponized.</blockquote><h3>The Convergence Pattern</h3><p>Five sources independently flagged the same pattern: supply chain attacks are no longer targeting application code — they're <strong>targeting the security and development tools themselves</strong>. The attack surface has shifted upstream to the tools developers trust most implicitly.</p><table><thead><tr><th>Target</th><th>Attack</th><th>Data at Risk</th><th>Check Command</th></tr></thead><tbody><tr><td>Axios</td><td>CVE-2026-40175 (CVSS 10.0)</td><td>Cloud metadata via header injection</td><td><code>npm ls axios</code></td></tr><tr><td>Checkmarx KICS</td><td>Trojanized Docker images</td><td>All IaC secrets (TF, CF, K8s)</td><td>Compare image digests</td></tr><tr><td>Sonatype Nexus</td><td>CVE-2026-5189 hard-coded creds</td><td>All artifacts + OS access</td><td>Check version 3.0–3.70.5</td></tr><tr><td>npm: pgserve/automagik</td><td>Self-propagating malware</td><td>Secrets, credentials, data</td><td><code>npm audit</code></td></tr><tr><td>@fastify/express</td><td>CVE-2026-33807 (9.1)</td><td>Auth bypass</td><td>Version ≤4.0.4</td></tr></tbody></table><hr><h3>Container Image Trust Is Broken</h3><p>The Checkmarx KICS attack exploited a fundamental gap: <strong>most CI/CD pipelines pull images by tag, not by digest</strong>. Attackers overwrote legitimate tags with trojanized versions. The fix is architectural: implement container image signing and digest-based pinning using Sigstore/Cosign, Kyverno, or OPA Gatekeeper. Deploy admission controllers to reject unsigned or unverified images.</p>

   Action items

   • Audit all KICS Docker images pulled in the last 30 days. Compare digests against Checkmarx verified hashes for v2.1.20, v2.1.21, and alpine tags.
   • Run dependency scans for npm packages 'pgserve' and 'automagik' across all repositories. Block at registry proxy. Rotate all secrets if found.
   • Verify Sonatype Nexus version across all instances. Patch if running 3.0.0–3.70.5. Audit access logs for unauthorized patterns and rotate accessible secrets.
   • Implement container image signing and digest-based pinning across all CI/CD pipelines within 2 weeks.
   • If compromised KICS images were used, rotate every credential in every IaC config that was scanned — Terraform, CloudFormation, and Kubernetes.

   Sources:Your Windows Defender is the weapon: unpatched zero-day gives SYSTEM on fully patched endpoints right now · Your ASP.NET Core apps need rebuilds, not patches · Your CI/CD pipelines, AWS agents, and OAuth trust chains all got new public exploit toolkits this week · Two CVSS 10.0s on KEV, Axios supply chain bomb, and your Kafka cluster accepts any JWT

3. 03

   Enterprise AI Agents Got Production Keys This Week — Your IAM Framework Doesn't Have a Category for Them

   <h3>Five Platforms Shipped, Zero Governance Solutions Exist</h3><p>In a single week: <strong>OpenAI</strong> launched Workspace Agents with Slack and Salesforce integration for Business/Enterprise tiers. <strong>Google</strong> unveiled the Gemini Enterprise Agent Platform with a central registry and 200+ model support. <strong>Factory</strong> shipped Droid — always-on AI agents with their own filesystems and credentials. <strong>Block</strong> deployed MoneyBot and ManagerBot with autonomous payment authority. <strong>Alipay</strong> launched AI Pay enabling agent-initiated purchases via OpenClaw protocol. <strong>Coinbase</strong> is embedding executive-persona agents in Slack.</p><p>At RSAC 2026, across 11 main-stage keynotes, <strong>no speaker claimed a working solution for AI agent security</strong>. Every customer deploying AI agents is in monitor-only mode with no enforcement.</p><blockquote>Each workspace agent is a persistent identity with OAuth scopes spanning multiple SaaS applications, capable of reading sensitive data, writing to business channels, and triggering external actions — and your IAM framework doesn't have a category for it.</blockquote><h3>The Agent Identity Crisis</h3><p>Google Cloud resellers working implementations explicitly flagged that <strong>determining what agents should have access to is an unsolved enterprise challenge</strong>. Home Depot disclosed employees have access to four AI providers simultaneously (Google, Anthropic, OpenAI, Microsoft), switching based on quality. That's four providers with different data handling, retention, and training policies — each model switch is a data flow your DLP didn't account for.</p><h3>Financial Agents Change the Calculus</h3><p>Block's agents autonomously execute payments, savings, and inventory management. Alipay's agents make purchases. Coinbase has executive-persona agents in Slack providing strategic feedback. The attack surface for each: <strong>prompt injection</strong> via data the agent ingests, <strong>credential persistence</strong> through background tokens that outlive sessions, and <strong>authority exploitation</strong> since Coinbase's agents speak with executive credibility.</p><table><thead><tr><th>Platform</th><th>Data Access</th><th>Action Capability</th><th>Governance</th></tr></thead><tbody><tr><td>OpenAI Workspace Agents</td><td>Slack, Salesforce, enterprise tools</td><td>Code gen, reports, communication</td><td>Optional HITL</td></tr><tr><td>Google Gemini Platform</td><td>Gmail, Drive, Docs, Sheets, Chat</td><td>Cross-app queries, orchestration</td><td>Central registry (new)</td></tr><tr><td>Block MoneyBot</td><td>Cash App payments, savings</td><td>Autonomous transactions</td><td>Not disclosed</td></tr><tr><td>Factory Droid</td><td>Own filesystem + credentials</td><td>Always-on execution</td><td>BYOD or cloud</td></tr></tbody></table><h3>The 60% Threshold</h3><p>Vercel's CTO disclosed that <strong>60% of traffic to their admin/configuration app is bot traffic</strong> — AI agents configuring applications on behalf of humans. Your behavioral baselines, anomaly detection, and authentication mechanisms were designed for human interaction patterns. They will fail on legitimate agent traffic and miss attacks that mimic agent patterns.</p><hr><h3>What the AWS Bedrock AgentCore Failure Teaches</h3><p>AWS Bedrock AgentCore's starter toolkit generates <strong>wildcard IAM permissions by default</strong>, enabling a 'God Mode' where compromising one agent grants access to all agents' memories, ECR images, and code interpreters. AWS chose to <strong>update documentation rather than change the defaults</strong>. Every team that spun up AgentCore has wildcard roles in your account right now. This is the governance gap in microcosm — and Cisco's five new open-source tools (AI BOM, MCP Scanner, A2A Scanner, CodeGuard, DefenseClaw) are the first defensive tooling worth evaluating.</p>

   Action items

   • Conduct an AI agent inventory across your organization by end of next week — catalog every agent, its OAuth scopes, data access, and action permissions.
   • Identify and remediate all AWS Bedrock AgentCore deployments using auto-generated IAM roles. Replace wildcard permissions with least-privilege scoped to each agent.
   • Publish a CISO advisory requiring security review before any AI agent deployment with SaaS integration. Define AI agents as a distinct identity class in your IAM framework.
   • Evaluate Cisco's OSS AI defense tools (AI BOM, MCP Scanner, A2A Scanner) for integration by end of Q2.
   • Update fraud detection baselines for non-human transaction patterns if any agent-enabled payment platforms (Block, Alipay, Coinbase) are in your payment ecosystem.

   Sources:Autonomous AI agents just got cloud access to your Slack, Gmail, and enterprise tools · Agent Sprawl Is Your Next Shadow IT Crisis · OpenAI, Google & Microsoft just gave AI agents keys to your enterprise data · Autonomous AI agents are getting payment access at Block, Alipay, and Coinbase · A Discord group used a vendor breach to crack Anthropic's restricted cyber-AI · AI agents are getting their own credentials and filesystems