Skip to main content

Hashtopolis CVE-2026-22104

| EUVDEUVD-2026-45155 HIGH
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-07-17 DIVD GHSA-mr39-qwfq-3rmh
7.1
CVSS 4.0 · Vendor: DIVD
Share

Severity by source

Vendor (DIVD) PRIMARY
7.1 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:I/V:X/RE:X/U:X
vuln.today AI
6.5 MEDIUM

Any authenticated account exploits it remotely with low complexity (PR:L, AC:L, AV:N); impact is confidentiality-only disclosure of cracked hashes, so C:H, I:N, A:N.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (DIVD).

CVSS VectorVendor: DIVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:I/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
Patch available
Jul 17, 2026 - 11:17 EUVD
Source Code Evidence Fetched
Jul 17, 2026 - 10:15 vuln.today
Analysis Generated
Jul 17, 2026 - 10:15 vuln.today
CVE Published
Jul 17, 2026 - 09:30 cve.org
HIGH 7.1

DescriptionCVE.org

Improper access control in Hashtopolis server web-interface chunk activity component for versions prior to 0.14.8 allows any created account to read all cracked hashes of a Hashtopolis server instance.

AnalysisAI

Broken object-level authorization in the Hashtopolis server web-interface chunk activity component lets any authenticated low-privilege account read all cracked hashes across the entire server, regardless of access-group membership. Affecting all versions prior to 0.14.8, the flaw exposes recovered plaintext credentials - the core sensitive output of the platform - to users who should only see their own group's data. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain any Hashtopolis account
Delivery
Log in to web interface
Exploit
Access chunk activity component
Execution
Request other groups' chunk/hash data
Impact
Retrieve all cracked plaintext hashes

Vulnerability AssessmentAI

Exploitation Requires a valid authenticated account on the target Hashtopolis server (PR:L) - the description states 'any created account' can read all cracked hashes, so the only prerequisite is possession of any account, not administrative rights. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N) scoring 7.1 is internally consistent with the description: network-reachable web interface, low attack complexity, low privileges required (any created account), no user interaction, and a pure confidentiality impact (VC:H) with no integrity or availability effect. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has been granted (or has self-registered for) any account on a shared Hashtopolis instance browses to the chunk activity component and requests chunk/hash data belonging to access groups they are not a member of. Because the component does not verify group ownership, the interface returns cracked plaintext hashes from every group on the server, letting the attacker harvest credentials recovered by other teams' jobs. …
Remediation Upgrade to the vendor-released patch: Hashtopolis server v0.14.8 (https://github.com/hashtopolis/server/releases/tag/v0.14.8), which the release notes state fixes access issues where users could read chunk and hash info from access groups they were not members of. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, audit all Hashtopolis server instances to identify their current version and production deployment status. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Server

View all
CVE-2018-1000881 CRITICAL POC
9.8 Dec 20

Traccar Traccar Server version 4.0 and earlier contains a CWE-94: Improper Control of Generation of Code ('Code Injectio

CVE-2026-60104 CRITICAL POC
9.3 Jul 08

Account takeover in self-hosted Bitwarden Server before 2026.6.0 lets a low-privileged organization member steal any oth

CVE-2026-43639 HIGH POC
8.9 May 11

Provider service users in Bitwarden Server Cloud can hijack arbitrary organizations via unauthorized API endpoint access

CVE-2021-42973 HIGH POC
8.8 Dec 07

NoMachine Server is affected by Integer Overflow. Rated high severity (CVSS 8.8), this vulnerability is low attack compl

CVE-2021-42972 HIGH POC
8.8 Dec 07

NoMachine Server is affected by Buffer Overflow. Rated high severity (CVSS 8.8), this vulnerability is low attack comple

CVE-2026-43640 HIGH POC
8.6 May 11

Authentication bypass in Bitwarden Server versions prior to 2026.4.1 allows authenticated users with SCIM management pri

CVE-2019-25609 HIGH POC
8.6 Mar 22

JetAudio jetCast Server 2.0 contains a stack-based buffer overflow vulnerability in the Log Directory configuration fiel

CVE-2023-30223 HIGH POC
7.5 Jun 16

A broken authentication vulnerability in 4D SAS 4D Server software v17, v18, v19 R7, and earlier allows attackers to sen

CVE-2023-30222 HIGH POC
7.5 Jun 16

An information disclosure vulnerability in 4D SAS 4D Server Application v17, v18, v19 R7 and earlier allows attackers to

CVE-2026-57520 HIGH POC
7.1 Jun 25

Privilege escalation in self-hosted Bitwarden Server before 2026.5.0 lets an authenticated organization member holding a

CVE-2017-7855 MEDIUM POC
6.1 Aug 31

In the webmail component in IceWarp Server 11.3.1.5, there was an XSS vulnerability discovered in the "language" paramet

CVE-2022-39395 CRITICAL
9.9 Nov 10

Vela is a Pipeline Automation (CI/CD) framework built on Linux container technology written in Golang. Rated critical se

Share

CVE-2026-22104 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy