Insecure Default Initialization of Resource

CVE-2026-35672

Low

0/10

Summary

A default empty API client token allows any unauthenticated user to create and modify FAQ entries, categories, and questions via the REST API. The vulnerability exists in all versions since API v4.0 was introduced because the installation process seeds `api.apiClientToken` with an empty string, and the `hasValidToken()` comparison logic cannot distinguish between "no token configured" and "attacker sent a matching empty token header." Affected versions are prior to 4.1.3.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: HIGH
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: NONE
Availability Impact: NONE

CWE-1188 - Insecure Default Initialization of Resource

The software initializes or sets a resource with a default that is intended to be changed by the administrator, but the default is not secure.

References

Advisory

Advisory Timeline

Published May 20, 2026

Insecure Default Initialization of Resource

CVE-2026-35672

Summary

CWE-1188 - Insecure Default Initialization of Resource

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS