{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-31881", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-03-09T21:59:02.686Z", "datePublished": "2026-03-11T18:37:11.360Z", "dateUpdated": "2026-03-12T20:06:56.196Z"}, "containers": {"cna": {"title": "Runtipi unauthenticated /api/auth/reset-password allows operator account takeover during active reset window", "problemTypes": [{"descriptions": [{"cweId": "CWE-306", "lang": "en", "description": "CWE-306: Missing Authentication for Critical Function", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L", "version": "3.1"}}], "references": [{"name": "https://github.com/runtipi/runtipi/security/advisories/GHSA-96fm-whrc-cwg3", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/runtipi/runtipi/security/advisories/GHSA-96fm-whrc-cwg3"}], "affected": [{"vendor": "runtipi", "product": "runtipi", "versions": [{"version": "< 4.8.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-11T18:37:11.360Z"}, "descriptions": [{"lang": "en", "value": "Runtipi is a personal homeserver orchestrator. Prior to 4.8.0, an unauthenticated attacker can reset the operator (admin) password when a password-reset request is active, resulting in full account takeover. The endpoint POST /api/auth/reset-password is exposed without authentication/authorization checks. During the 15-minute reset window, any remote user can set a new operator password and log in as admin. This vulnerability is fixed in 4.8.0."}], "source": {"advisory": "GHSA-96fm-whrc-cwg3", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-12T20:06:41.837355Z", "id": "CVE-2026-31881", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-12T20:06:56.196Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-31881", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-12T20:06:41.837355Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-12T20:06:53.513Z"}}], "cna": {"title": "Runtipi unauthenticated /api/auth/reset-password allows operator account takeover during active reset window", "source": {"advisory": "GHSA-96fm-whrc-cwg3", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.7, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "HIGH", "availabilityImpact": "LOW", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "runtipi", "product": "runtipi", "versions": [{"status": "affected", "version": "< 4.8.0"}]}], "references": [{"url": "https://github.com/runtipi/runtipi/security/advisories/GHSA-96fm-whrc-cwg3", "name": "https://github.com/runtipi/runtipi/security/advisories/GHSA-96fm-whrc-cwg3", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Runtipi is a personal homeserver orchestrator. Prior to 4.8.0, an unauthenticated attacker can reset the operator (admin) password when a password-reset request is active, resulting in full account takeover. The endpoint POST /api/auth/reset-password is exposed without authentication/authorization checks. During the 15-minute reset window, any remote user can set a new operator password and log in as admin. This vulnerability is fixed in 4.8.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-306", "description": "CWE-306: Missing Authentication for Critical Function"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-03-11T18:37:11.360Z"}}}, "cveMetadata": {"cveId": "CVE-2026-31881", "state": "PUBLISHED", "dateUpdated": "2026-03-12T20:06:56.196Z", "dateReserved": "2026-03-09T21:59:02.686Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-03-11T18:37:11.360Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:runtipi:runtipi:*:*:*:*:*:*:*:*", "matchCriteriaId": "7F1DB2A0-4BA2-4CD6-BD14-04BCA5CBD7EE", "versionEndExcluding": "4.8.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Runtipi is a personal homeserver orchestrator. Prior to 4.8.0, an unauthenticated attacker can reset the operator (admin) password when a password-reset request is active, resulting in full account takeover. The endpoint POST /api/auth/reset-password is exposed without authentication/authorization checks. During the 15-minute reset window, any remote user can set a new operator password and log in as admin. This vulnerability is fixed in 4.8.0."}, {"lang": "es", "value": "Runtipi es un orquestador de homeserver personal. Antes de la versi\u00f3n 4.8.0, un atacante no autenticado puede restablecer la contrase\u00f1a del operador (administrador) cuando una solicitud de restablecimiento de contrase\u00f1a est\u00e1 activa, lo que resulta en una toma de control completa de la cuenta. El endpoint POST /api/auth/reset-password est\u00e1 expuesto sin comprobaciones de autenticaci\u00f3n/autorizaci\u00f3n. Durante la ventana de restablecimiento de 15 minutos, cualquier usuario remoto puede establecer una nueva contrase\u00f1a de operador e iniciar sesi\u00f3n como administrador. Esta vulnerabilidad se corrige en la versi\u00f3n 4.8.0."}], "id": "CVE-2026-31881", "lastModified": "2026-03-16T20:53:43.683", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "NETWORK", "availabilityImpact": "LOW", "baseScore": 7.7, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L", "version": "3.1"}, "exploitabilityScore": 2.2, "impactScore": 5.5, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2026-03-11T19:16:04.787", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/runtipi/runtipi/security/advisories/GHSA-96fm-whrc-cwg3"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-306"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,4.8.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "runtipi", "source": "cna", "vendor": "runtipi"}, "product": "runtipi", "vendor": "runtipi"}], "analysis": {"en": {"generated_at": "2026-03-16T23:12:45.137013+00:00", "value": {"mitigation_remediation": ["Upgrade Runtipi to version 4.8.0 or later."], "summary": {"action": "Patch", "impact": "Account Takeover"}, "threat_synthesis": {"affected_systems": "The flaw affects all Runtipi installations running versions earlier than 4.8.0. The issue is fixed in Runtipi 4.8.0 and later. The affected product is the Runtipi personal homeserver orchestrator, as identified by the cpe:2.3:a:runtipi:runtipi:*:*:*:*:*:*:*:*.", "description_and_impact": "The vulnerability in Runtipi allows an unauthenticated attacker to reset the operator (admin) password during an active password\u2011reset window. The POST /api/auth/reset-password endpoint lacks authentication or authorization checks, enabling any remote user to set a new operator password within a 15\u2011minute window. This results in full operator account takeover, granting the attacker full control and the ability to compromise all hosted services and data. The flaw is a CWE-306 style authentication bypass.", "risk_and_exploitability": "The CVSS score of 7.7 indicates high severity, while the EPSS score of under 1% suggests that exploitation may be unlikely at present. Since the vulnerability is not listed in CISA\u2019s KEV table, it is not known to be widely exploited. Attackers would need only to trigger the password\u2011reset process and wait for the 15\u2011minute window; no special access is required, making the attack straightforward for an unauthenticated remote user."}}}}, "created": "2026-03-12T09:56:57.221776+00:00", "updated": "2026-03-20T15:29:32.147028+00:00", "vendors": ["runtipi", "runtipi$PRODUCT$runtipi"]}