Severity by source
AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
Lifecycle Timeline
3DescriptionGitHub Advisory
Cr*nMaster (cronmaster) is a Cronjob management UI with human readable syntax, live logging and log history for cronjobs. Prior to version 2.2.0, an authentication bypass in middleware allows unauthenticated requests with an invalid session cookie to be treated as authenticated when the middleware’s session-validation fetch fails. This can result in unauthorized access to protected pages and unauthorized execution of privileged Next.js Server Actions. This issue has been patched in version 2.2.0.
AnalysisAI
Authentication bypass in CronMaster versions prior to 2.2.0 allows adjacent network attackers to gain unauthorized administrative access without credentials. When session validation requests fail, the middleware incorrectly treats invalid session cookies as authenticated, enabling execution of privileged Next.js Server Actions and access to protected administrative pages. EPSS data not available for this recent CVE; no public exploit identified at time of analysis, though exploitation complexity is low once network access is achieved.
Technical ContextAI
CronMaster is a web-based cronjob management interface built on Next.js that provides scheduled task administration with logging capabilities. This vulnerability stems from CWE-287 (Improper Authentication) in the application's authentication middleware layer. The flaw occurs in the session validation logic where failed fetch requests to verify session cookies result in a fail-open behavior rather than fail-closed. In Next.js Server Actions architecture, middleware authentication failures should deny access by default, but this implementation allows requests to proceed when the validation mechanism itself encounters errors (network timeouts, service unavailability, exception handling failures). The affected component is cpe:2.3:a:fccview:cronmaster prior to version 2.2.0, specifically the middleware responsible for protecting both page routes and server-side API actions that control cronjob execution and configuration.
RemediationAI
Organizations should immediately upgrade CronMaster to version 2.2.0 or later, which contains a patch addressing the authentication middleware fail-open behavior. The patched release is available at https://github.com/fccview/cronmaster/releases/tag/2.2.0. Until patching is complete, implement network-level controls to restrict access to CronMaster instances to only trusted network segments, eliminating adjacent network attack opportunities. Review access logs for any suspicious activity patterns such as requests with malformed or invalid session cookies that received successful responses. As an additional defense-in-depth measure, ensure session validation backend services have proper redundancy and monitoring to prevent validation failures that could trigger the vulnerable code path. Consult the GitHub security advisory at https://github.com/fccview/cronmaster/security/advisories/GHSA-9whh-mffv-xvh6 for additional vendor-recommended hardening guidance.
Same weakness CWE-287 – Improper Authentication
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-17971