{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-39401", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-06T22:06:40.516Z", "datePublished": "2026-04-07T20:24:06.418Z", "dateUpdated": "2026-04-08T16:14:54.345Z"}, "containers": {"cna": {"title": "Privilege Escalation via update_event Job Output in Cronicle", "problemTypes": [{"descriptions": [{"cweId": "CWE-862", "lang": "en", "description": "CWE-862: Missing Authorization", "type": "CWE"}]}], "metrics": [{"cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N", "version": "4.0"}}], "references": [{"name": "https://github.com/jhuckaby/Cronicle/security/advisories/GHSA-5j3v-cq96-xw6v", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/jhuckaby/Cronicle/security/advisories/GHSA-5j3v-cq96-xw6v"}], "affected": [{"vendor": "jhuckaby", "product": "Cronicle", "versions": [{"version": "< 0.9.111", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-07T20:24:06.418Z"}, "descriptions": [{"lang": "en", "value": "Cronicle is a multi-server task scheduler and runner, with a web based front-end UI. Prior to 0.9.111, jb child processes can include an update_event key in their JSON output. The server applies this directly to the parent event's stored configuration without any authorization check. A low-privilege user who can create and run events can modify any event property, including webhook URLs and notification emails. This vulnerability is fixed in 0.9.111."}], "source": {"advisory": "GHSA-5j3v-cq96-xw6v", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/jhuckaby/Cronicle/security/advisories/GHSA-5j3v-cq96-xw6v", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-08T16:11:30.726704Z", "id": "CVE-2026-39401", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T16:14:54.345Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-39401", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-08T16:11:30.726704Z"}}}], "references": [{"url": "https://github.com/jhuckaby/Cronicle/security/advisories/GHSA-5j3v-cq96-xw6v", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T16:11:38.507Z"}}], "cna": {"title": "Privilege Escalation via update_event Job Output in Cronicle", "source": {"advisory": "GHSA-5j3v-cq96-xw6v", "discovery": "UNKNOWN"}, "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 5.3, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "NONE"}}], "affected": [{"vendor": "jhuckaby", "product": "Cronicle", "versions": [{"status": "affected", "version": "< 0.9.111"}]}], "references": [{"url": "https://github.com/jhuckaby/Cronicle/security/advisories/GHSA-5j3v-cq96-xw6v", "name": "https://github.com/jhuckaby/Cronicle/security/advisories/GHSA-5j3v-cq96-xw6v", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Cronicle is a multi-server task scheduler and runner, with a web based front-end UI. Prior to 0.9.111, jb child processes can include an update_event key in their JSON output. The server applies this directly to the parent event's stored configuration without any authorization check. A low-privilege user who can create and run events can modify any event property, including webhook URLs and notification emails. This vulnerability is fixed in 0.9.111."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-862", "description": "CWE-862: Missing Authorization"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-07T20:24:06.418Z"}}}, "cveMetadata": {"cveId": "CVE-2026-39401", "state": "PUBLISHED", "dateUpdated": "2026-04-08T16:14:54.345Z", "dateReserved": "2026-04-06T22:06:40.516Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-07T20:24:06.418Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:cronicle:cronicle:*:*:*:*:*:*:*:*", "matchCriteriaId": "39B61EC4-D675-4546-9B1C-239E47AB6C5A", "versionEndExcluding": "0.9.111", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Cronicle is a multi-server task scheduler and runner, with a web based front-end UI. Prior to 0.9.111, jb child processes can include an update_event key in their JSON output. The server applies this directly to the parent event's stored configuration without any authorization check. A low-privilege user who can create and run events can modify any event property, including webhook URLs and notification emails. This vulnerability is fixed in 0.9.111."}], "id": "CVE-2026-39401", "lastModified": "2026-04-15T20:23:40.270", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.4, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 2.5, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-07T21:17:18.547", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/jhuckaby/Cronicle/security/advisories/GHSA-5j3v-cq96-xw6v"}, {"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/jhuckaby/Cronicle/security/advisories/GHSA-5j3v-cq96-xw6v"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "security-advisories@github.com", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,0.9.111)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Cronicle", "source": "cna", "vendor": "jhuckaby"}, "product": "cronicle", "vendor": "jhuckaby"}], "analysis": {"en": {"generated_at": "2026-04-08T00:22:32.684429+00:00", "value": {"mitigation_remediation": ["Upgrade Cronicle to version 0.9.111 or later to eliminate the flaw."], "summary": {"action": "Patch immediately", "impact": "Privilege Escalation via unauthorized event modification"}, "threat_synthesis": {"affected_systems": "All installations of jhuckaby Cronicle older than 0.9.111 are affected. The vulnerability requires that the user have permission to create or run events on the server, meaning users with the ability to schedule jobs can exploit it.", "description_and_impact": "Cronicle is a multi\u2011server task scheduler with a web\u2011based UI. Prior to version 0.9.111 child processes can emit JSON that contains an update_event key. The server applies this key directly to the parent event\u2019s stored configuration without checking the user\u2019s authorization. An attacker who can create and run events therefore gains the ability to modify any event property, including webhook URLs and notification emails, which is a form of privilege escalation. The weakness is classed as CWE\u2011862, indicating improper authorization.", "risk_and_exploitability": "The CVSS score of 5.3 indicates moderate severity. EPSS data is not available and the issue is not listed in the CISA KEV catalog, suggesting no widely known exploitation yet. The attack vector is inferred to be the ability to schedule and execute jobs locally on the server, with the attacker injecting the update_event field to alter event behavior."}}}}, "created": "2026-04-08T19:34:19.820263+00:00", "updated": "2026-04-08T19:45:48.688489+00:00", "vendors": ["jhuckaby", "jhuckaby$PRODUCT$cronicle"]}