CVE-2026-31881
HIGHCVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L
Lifecycle Timeline
2Description
Runtipi is a personal homeserver orchestrator. Prior to 4.8.0, an unauthenticated attacker can reset the operator (admin) password when a password-reset request is active, resulting in full account takeover. The endpoint POST /api/auth/reset-password is exposed without authentication/authorization checks. During the 15-minute reset window, any remote user can set a new operator password and log in as admin. This vulnerability is fixed in 4.8.0.
Analysis
Runtipi versions prior to 4.8.0 allow unauthenticated attackers to reset the admin password through an unprotected POST /api/auth/reset-password endpoint, enabling complete account takeover during active password-reset windows. Any remote user can set a new operator password within the 15-minute reset window without authentication or authorization checks. …
Sign in for full analysis, threat intelligence, and remediation guidance.
Remediation
Within 24 hours: Identify all Runtipi instances in your environment and document their versions and network exposure. Within 7 days: Implement network segmentation to restrict access to the password reset endpoint (/api/auth/reset-password) or disable the password reset feature if operationally feasible. …
Sign in for detailed remediation steps.
Priority Score
Share
External POC / Exploit Code
Leaving vuln.today