CVE-2026-31881
Runtipi unauthenticated /api/auth/reset-password allows operator account takeover during active reset window
CVSS Score
7.7
EPSS Score
0.0%
EPSS Percentile
0th
Runtipi is a personal homeserver orchestrator. Prior to 4.8.0, an unauthenticated attacker can reset the operator (admin) password when a password-reset request is active, resulting in full account takeover. The endpoint POST /api/auth/reset-password is exposed without authentication/authorization checks. During the 15-minute reset window, any remote user can set a new operator password and log in as admin. This vulnerability is fixed in 4.8.0.
| CWE | CWE-306 |
| Vendor | runtipi |
| Product | runtipi |
| Published | Mar 11, 2026 |
| Last Updated | Mar 12, 2026 |
Stay Ahead of the Next One
Get instant alerts for runtipi runtipi
Be the first to know when new high vulnerabilities affecting runtipi runtipi are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
Low
Affected Versions
runtipi / runtipi
< 4.8.0