Runtipi CVE-2026-31881
HIGHSeverity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L
Lifecycle Timeline
2DescriptionGitHub Advisory
Runtipi is a personal homeserver orchestrator. Prior to 4.8.0, an unauthenticated attacker can reset the operator (admin) password when a password-reset request is active, resulting in full account takeover. The endpoint POST /api/auth/reset-password is exposed without authentication/authorization checks. During the 15-minute reset window, any remote user can set a new operator password and log in as admin. This vulnerability is fixed in 4.8.0.
AnalysisAI
Runtipi versions prior to 4.8.0 allow unauthenticated attackers to reset the admin password through an unprotected POST /api/auth/reset-password endpoint, enabling complete account takeover during active password-reset windows. Any remote user can set a new operator password within the 15-minute reset window without authentication or authorization checks. This vulnerability remains unpatched in affected versions.
Technical ContextAI
This vulnerability (CWE-306: Missing Authentication for Critical Function) exists in the full account takeover. The component. Runtipi is a personal homeserver orchestrator. Prior to 4.8.0, an unauthenticated attacker can reset the operator (admin) password when a password-reset request is active, resulting in full account takeover. The endpoint POST /api/auth/reset-password is exposed without authentication/authorization checks. During the 15-minute reset window, any remote user can set a new operator password and log in as admin. This vulnerability is fixed in 4.8.0.
Affected ProductsAI
Product: Runtipi is a personal homeserver orchestrator.. Versions: up to 4.8.0. Component: full account takeover. The.
RemediationAI
Fixed in version 4.8.0.. Restrict network access to the affected service where possible.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today