Description

Runtipi is a personal homeserver orchestrator. Prior to 4.8.0, an unauthenticated attacker can reset the operator (admin) password when a password-reset request is active, resulting in full account takeover. The endpoint POST /api/auth/reset-password is exposed without authentication/authorization checks. During the 15-minute reset window, any remote user can set a new operator password and log in as admin. This vulnerability is fixed in 4.8.0.

INFO

Published Date :

2026-03-11T18:37:11.360Z

Last Modified :

2026-03-12T20:06:56.196Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-31881 vulnerability.

Vendors Products
Runtipi
  • Runtipi
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-31881.

URL Resource
https://github.com/runtipi/runtipi/security/advisories/GHSA-96fm-whrc-cwg3 cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Privileges Required
User Interaction
Scope
Confidentiality Impact
Integrity Impact
Availability Impact