What is the CVSS score of CVE-2026-34408?

CVE-2026-34408 has a CVSS 3.1 base score of 9.1 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N. EPSS exploitation probability: 0.0%.

Which versions of Gambio GX4 are affected by CVE-2026-34408?

Gambio GX4 e-commerce platform versions 4.0.0.0 through 4.9.2.0 contain a critical unauthenticated password reset bypass that permits attackers to take over any user account if the account ID is…

How to fix or mitigate CVE-2026-34408?

Within 24 hours: Identify all Gambio GX4 installations and confirm version numbers (4.0.0.0-4.9.2.0 are vulnerable); disable or restrict access to password reset functionality if feasible. Within 7 days: Upgrade all affected Gambio instances to version 2024-02 v1.0.0 or later per vendor advisory; test functionality in staging before production deployment. Within 30 days: Conduct account security audit (review account creation logs, password change logs, and suspicious login activity for the past 90 days); reset passwords for high-privilege accounts and customer accounts with payment data access; enable multi-factor authentication for administrative accounts if available.

Gambio GX4 CVE-2026-34408

EUVD-2026-27323 CRITICAL

Weak Password Recovery Mechanism for Forgotten Password (CWE-640)

2026-05-05 mitre

GHSA-338p-fcwm-8fgc

Authentication Bypass N A

9.1

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Lifecycle Timeline

Analysis Generated

May 06, 2026 - 20:30 vuln.today

CVSS changed

May 06, 2026 - 18:22 NVD

9.1 (CRITICAL)

CVE Published

May 05, 2026 - 00:00 nvd

CRITICAL 9.1

DescriptionNVD

An issue was discovered in Gambio 4.9.2.0 (patched in 2024-02 v1.0.0 for GX4 v4.0.0.0 to v4.9.2.0). The password reset function can be bypassed to set arbitrary passwords for arbitrary accounts if the ID is known.

AnalysisAI

Password reset bypass in Gambio GX4 e-commerce platform allows remote unauthenticated attackers to set arbitrary passwords for any user account when the account ID is known, leading to complete account takeover. Affects versions 4.0.0.0 through 4.9.2.0, patched in February 2024 security update (2024-02 v1.0.0). …

RemediationAI

Within 24 hours: Identify all Gambio GX4 installations and confirm version numbers (4.0.0.0-4.9.2.0 are vulnerable); disable or restrict access to password reset functionality if feasible. Within 7 days: Upgrade all affected Gambio instances to version 2024-02 v1.0.0 or later per vendor advisory; test functionality in staging before production deployment. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-34408 vulnerability details – vuln.today

Back

Gambio GX4 CVE-2026-34408

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code