Weak Password Recovery Mechanism for Forgotten Password

CVE-2026-35676

Low

0/10

Summary

The password reset API can be triggered without authentication and without any out-of-band confirmation step.If an attacker knows a valid username + email pair, they can call the reset endpoint directly. The application immediately generates a new password, writes it to the account, and then sends it by email. The affected versions are prior to 4.1.3.

Attack Complexity: LOW
Attack Vector: NETWORK
Integrity Impact: HIGH
Scope: UNCHANGED
User Interaction: NONE
Privileges Required: NONE
Confidentiality Impact: LOW
Availability Impact: NONE

CWE-640 - Weak Password Recovery Mechanism for Forgotten Password

The software contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.

References

Advisory

Advisory Timeline

Published May 20, 2026

Weak Password Recovery Mechanism for Forgotten Password

CVE-2026-35676

Summary

CWE-640 - Weak Password Recovery Mechanism for Forgotten Password

References

Advisory Timeline

ChainJacking

JetBrains IDE

KICS SaaS