Skip to content

Commit 9722cc4

Browse files
1 parent e329b30 commit 9722cc4

3 files changed

Lines changed: 123 additions & 36 deletions

File tree

Lines changed: 61 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,61 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-72p9-6vv6-gvqh",
4+
"modified": "2026-07-01T19:47:20Z",
5+
"published": "2026-05-27T15:33:28Z",
6+
"aliases": [
7+
"CVE-2026-9712"
8+
],
9+
"summary": "pretix vulnerable to Authorization Bypass Through User-Controlled Key",
10+
"details": "When creating an export through the pretix API, API clients are returned an UUID value for their export job (a long, random string like 35742818-c375-4d15-839f-d49aecce94d6). Using this UUID, the API client can then request the actual file for download. The same kind of UUID is used in other places in pretix when temporary files are generated for internal use or download.\n\nOne remaining API endpoint, however, wrongfully did not verify if the UUID used for download actually belongs to a file that is supposed to be downloadable and belongs to the correct user. In reality, this is hard to exploit because an attacker would need to have access to a valid UUID for the file they desire which is unlikely to happen without a separate security problem giving them access to logs etc.",
11+
"severity": [
12+
{
13+
"type": "CVSS_V4",
14+
"score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:H/VI:N/VA:N/SC:H/SI:N/SA:N/E:U"
15+
}
16+
],
17+
"affected": [
18+
{
19+
"package": {
20+
"ecosystem": "PyPI",
21+
"name": "pretix"
22+
},
23+
"ranges": [
24+
{
25+
"type": "ECOSYSTEM",
26+
"events": [
27+
{
28+
"introduced": "0"
29+
},
30+
{
31+
"fixed": "2026.4.2"
32+
}
33+
]
34+
}
35+
]
36+
}
37+
],
38+
"references": [
39+
{
40+
"type": "ADVISORY",
41+
"url": "https://nvd.nist.gov/vuln/detail/CVE-2026-9712"
42+
},
43+
{
44+
"type": "PACKAGE",
45+
"url": "https://github.com/pretix/pretix"
46+
},
47+
{
48+
"type": "WEB",
49+
"url": "https://pretix.eu/about/en/blog/20260527-release-2026-4-2"
50+
}
51+
],
52+
"database_specific": {
53+
"cwe_ids": [
54+
"CWE-639"
55+
],
56+
"severity": "LOW",
57+
"github_reviewed": true,
58+
"github_reviewed_at": "2026-07-01T19:47:20Z",
59+
"nvd_published_at": "2026-05-27T15:16:36Z"
60+
}
61+
}
Lines changed: 62 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,62 @@
1+
{
2+
"schema_version": "1.4.0",
3+
"id": "GHSA-m492-gv72-xvxj",
4+
"modified": "2026-07-01T19:49:25Z",
5+
"published": "2026-07-01T19:49:24Z",
6+
"aliases": [],
7+
"summary": "Kimai Password Reset Link Remains Valid After Password Change",
8+
"details": "### Summary\n\nThe LoginLink signature used for password reset URLs covers only the user's `id` — it does not include the password hash. After a user clicks a reset link and successfully changes their password, the same link remains valid for up to 2 additional uses within a 1-hour window. Anyone who intercepts or caches the original link can log in as the user even after the password has been changed.\n\n### Details\n\n`config/packages/security.yaml:73-78` configures the login link:\n\n```yaml\nlogin_link:\n check_route: link_login_check\n signature_properties: ['id']\n lifetime: 900\n max_uses: 3\n```\n\nThe HMAC signature covers only `id`, not `password`, `username`, or `email`. The effective lifetime for password reset links is extended to 3600 seconds by `PasswordResetController.php:106-119` via `getPasswordResetRetryLifetime()`.\n\nAfter the first successful use (where the user sets a new password), the `__pw_reset__` session flag is cleared by `WizardController.php:105`. Subsequent uses of the same link bypass the forced-password-reset wizard and grant a normal authenticated session.\n\nSymfony's `LoginLinkHandler::consumeLoginLink` decrements a per-link counter but allows up to 3 total uses. Re-issuing a new link does not invalidate the old one.\n\nThe same vulnerability affects `UserLoginLinkCommand.php:77`, which generates admin-on-demand login links with the same signature scheme.\n\n### PoC\n\n**Step 1 — Generate a password reset link:**\n\n```bash\ndocker exec <kimai_container> bin/console kimai:user:login-link <username>\n```\n\n**Step 2 — Use the link to log in and change the password.**\n\n**Step 3 — Open the same link in a different browser or incognito session.**\n\nThe link logs the attacker in as a fully authenticated user, despite the password having been changed in Step 2.\n\n**Step 4 — The link works a third time (3 total uses within 1 hour).**\n\n### Impact\n\nA password reset link that leaks through any of the following channels remains a valid authentication credential even after the legitimate user has changed their password: corporate mail-relay scanners that pre-click links (Microsoft Defender ATP, Mimecast, Barracuda), shared inboxes, browser history sync across devices, HTTP referrer headers, or proxy/WAF logs. The user believes they have secured their account by setting a new password, but the leaked link still grants full access for up to 2 additional uses within the hour.\n\n# Solution\n\nLogin links now also use the `password` hash for generating the signature, which will immediately expire the link after the user changed the password.\n\nRead <https://www.kimai.org/en/security/ghsa-m492-gv72-xvxj> for more information.",
9+
"severity": [
10+
{
11+
"type": "CVSS_V4",
12+
"score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U"
13+
}
14+
],
15+
"affected": [
16+
{
17+
"package": {
18+
"ecosystem": "Packagist",
19+
"name": "kimai/kimai"
20+
},
21+
"ranges": [
22+
{
23+
"type": "ECOSYSTEM",
24+
"events": [
25+
{
26+
"introduced": "0"
27+
},
28+
{
29+
"fixed": "2.58.0"
30+
}
31+
]
32+
}
33+
],
34+
"database_specific": {
35+
"last_known_affected_version_range": "<= 2.57.0"
36+
}
37+
}
38+
],
39+
"references": [
40+
{
41+
"type": "WEB",
42+
"url": "https://github.com/kimai/kimai/security/advisories/GHSA-m492-gv72-xvxj"
43+
},
44+
{
45+
"type": "PACKAGE",
46+
"url": "https://github.com/kimai/kimai"
47+
},
48+
{
49+
"type": "WEB",
50+
"url": "https://www.kimai.org/en/security/ghsa-m492-gv72-xvxj"
51+
}
52+
],
53+
"database_specific": {
54+
"cwe_ids": [
55+
"CWE-640"
56+
],
57+
"severity": "LOW",
58+
"github_reviewed": true,
59+
"github_reviewed_at": "2026-07-01T19:49:24Z",
60+
"nvd_published_at": null
61+
}
62+
}

advisories/unreviewed/2026/05/GHSA-72p9-6vv6-gvqh/GHSA-72p9-6vv6-gvqh.json

Lines changed: 0 additions & 36 deletions
This file was deleted.

0 commit comments

Comments
 (0)