๐Ÿ” CVE Alert

CVE-2026-63100

MEDIUM 6.5

Maybe 0.6.0 Missing Authorization via HostingsController show/update

CVSS Score
6.5
EPSS Score
0.0%
EPSS Percentile
0th

Maybe through 0.6.0 contains a missing authorization vulnerability that allows authenticated low-privilege member-role users to access and modify global hosting settings by exploiting unprotected show and update actions in the Settings::HostingsController, where the before_action ensure_admin filter is applied only to the clear_cache action. Attackers can read the operator's Synth API key rendered in plaintext via a form field value attribute, overwrite it with an attacker-controlled value, toggle public registration settings, and disable email confirmation requirements to disrupt the entire instance.

CWE CWE-862
Vendor maybe-finance
Product maybe
Published Jul 17, 2026
Stay Ahead of the Next One

Get instant alerts for maybe-finance maybe

Be the first to know when new medium vulnerabilities affecting maybe-finance maybe are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Affected Versions

maybe-finance / maybe
0 โ‰ค 0.6.0

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
github.com: https://github.com/geo-chen/oss/blob/main/maybe.md vulncheck.com: https://www.vulncheck.com/advisories/maybe-missing-authorization-via-hostingscontroller-show-update

Credits

George Chen