CVE-2026-63100
Maybe 0.6.0 Missing Authorization via HostingsController show/update
Maybe through 0.6.0 contains a missing authorization vulnerability that allows authenticated low-privilege member-role users to access and modify global hosting settings by exploiting unprotected show and update actions in the Settings::HostingsController, where the before_action ensure_admin filter is applied only to the clear_cache action. Attackers can read the operator's Synth API key rendered in plaintext via a form field value attribute, overwrite it with an attacker-controlled value, toggle public registration settings, and disable email confirmation requirements to disrupt the entire instance.
| CWE | CWE-862 |
| Vendor | maybe-finance |
| Product | maybe |
| Published | Jul 17, 2026 |
Get instant alerts for maybe-finance maybe
Be the first to know when new medium vulnerabilities affecting maybe-finance maybe are published โ delivered to Slack, Telegram or Discord.
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N