Skip to main content

Pachno CVE-2026-40043

| EUVDEUVD-2026-22051 HIGH
Authorization Bypass Through User-Controlled Key (CWE-639)
2026-04-13 VulnCheck
7.1
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
7.1 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

7
Re-analysis Queued
Apr 17, 2026 - 15:37 vuln.today
cvss_changed
Analysis Generated
Apr 15, 2026 - 12:33 vuln.today
Severity Changed
Apr 13, 2026 - 19:37 NVD
MEDIUM HIGH
CVSS changed
Apr 13, 2026 - 19:37 NVD
6.5 (MEDIUM) 7.1 (HIGH)
EUVD ID Assigned
Apr 13, 2026 - 18:56 euvd
EUVD-2026-22051
Analysis Generated
Apr 13, 2026 - 18:56 vuln.today
CVE Published
Apr 13, 2026 - 18:11 nvd
HIGH 7.1

DescriptionCVE.org

Pachno 1.0.6 contains an authentication bypass vulnerability in the runSwitchUser() action that allows authenticated low-privilege users to escalate privileges by manipulating the original_username cookie. Attackers can set the client-controlled original_username cookie to any value and request a switch to user ID 1 to obtain session tokens or password hashes belonging to administrator accounts.

AnalysisAI

Privilege escalation in Pachno 1.0.6 allows low-privilege authenticated users to hijack administrator sessions by manipulating the original_username cookie in the runSwitchUser() action, enabling unauthorized access to user ID 1 (admin) session tokens and password hashes. SSVC confirms proof-of-concept exists with partial technical impact, though EPSS indicates low exploitation probability (0.07%, 22nd percentile) and no active exploitation confirmed via CISA KEV.

Technical ContextAI

Pachno is an open-source project management and collaboration platform. This vulnerability (CWE-639: Authorization Bypass Through User-Controlled Key) stems from insufficient validation of client-controlled cookies in the user-switching functionality. The runSwitchUser() action trusts the original_username cookie value provided by the client without proper authentication checks, allowing arbitrary user impersonation. Because session management relies on this unvalidated cookie during privilege transitions, attackers can inject malicious values to hijack high-privilege accounts. The affected product is Pachno version 1.0.6 (CPE: cpe:2.3:a:pancho:pachno:1.0.6), though the CPE wildcard suggests potential impact across multiple 1.x versions pending vendor clarification.

RemediationAI

Upgrade Pachno to a patched version addressing CVE-2026-40043, referencing the official Pachno GitHub repository for release notes confirming this fix (exact patched version number not independently verified in provided intelligence sources). Until patching is feasible, implement compensating controls: disable or restrict access to the runSwitchUser() functionality via web application firewall rules, enforce strict session validation with server-side checks for user privilege transitions, and monitor authentication logs for anomalous user-switching patterns targeting user ID 1. Review existing user accounts for unauthorized privilege escalations that may have occurred since deployment of version 1.0.6. Consult advisories at https://www.vulncheck.com/advisories/pachno-authentication-bypass-via-runswitchuser and https://www.zeroscience.mk/en/vulnerabilities/ZSL-2026-5985.php for additional technical mitigation guidance.

Share

CVE-2026-40043 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy