Skip to main content

Cronicle CVE-2026-39401

| EUVDEUVD-2026-19925 MEDIUM
Missing Authorization (CWE-862)
2026-04-07 GitHub_M
5.3
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.3 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
0.9.111
EUVD ID Assigned
Apr 07, 2026 - 20:31 euvd
EUVD-2026-19925
Analysis Generated
Apr 07, 2026 - 20:31 vuln.today
CVE Published
Apr 07, 2026 - 20:24 nvd
MEDIUM 5.3

DescriptionGitHub Advisory

Cronicle is a multi-server task scheduler and runner, with a web based front-end UI. Prior to 0.9.111, jb child processes can include an update_event key in their JSON output. The server applies this directly to the parent event's stored configuration without any authorization check. A low-privilege user who can create and run events can modify any event property, including webhook URLs and notification emails. This vulnerability is fixed in 0.9.111.

AnalysisAI

Cronicle prior to 0.9.111 allows low-privilege authenticated users to modify arbitrary event properties via an authorization bypass in the job child process update mechanism. An attacker with permission to create and run events can inject an update_event key in JSON output that the server applies directly to any event's configuration without authorization checks, enabling modification of webhook URLs, notification emails, and other sensitive event parameters. This vulnerability requires prior authentication and event creation capabilities but represents a significant privilege escalation risk in multi-user Cronicle deployments.

Technical ContextAI

Cronicle is a distributed task scheduler that executes jobs across multiple servers using child processes (referred to as 'jb' processes). The vulnerability stems from insufficient authorization validation in the event update flow (CWE-862: Missing Authorization). When job child processes return JSON output, they can include an update_event key that modifies the parent event's stored configuration. The server processes this update without verifying that the requesting user has authorization to modify the target event. This bypasses the intended access control model where only event creators or administrators should modify event properties. The affected component is the event configuration handling mechanism in the Cronicle scheduler core, as identified by CPE cpe:2.3:a:jhuckaby:cronicle:*:*:*:*:*:*:*:*.

RemediationAI

Vendor-released patch: Cronicle 0.9.111 and later contain fixes for the authorization bypass. Users should immediately upgrade from versions prior to 0.9.111 to version 0.9.111 or the latest available release. The patch adds proper authorization checks to the update_event processing logic to ensure that only authorized users can modify event properties. No interim workarounds are documented; patching is the primary remediation path. Reference the GitHub Security Advisory at https://github.com/jhuckaby/Cronicle/security/advisories/GHSA-5j3v-cq96-xw6v and ENISA EUVD entry EUVD-2026-19925 for detailed guidance.

Share

CVE-2026-39401 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy