A vulnerability has been found in waooAI waoowaoo up to 0.4.1 and classified as critical. Affected by this vulnerability is the function getInternalTaskSession/getAuthSession/requireUserAuth/requireProjectAuth/requireProjectAuthLight in the library src/lib/api-auth.ts of the component Internal Task Header Handler. This manipulation of the argument x-internal-user-id request causes improper authentication.

This vulnerability is registered as CVE-2026-15557. Remote exploitation of the attack is possible. Furthermore, an exploit is available.

The project was informed of the problem early through an issue report but has not responded yet.