Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
7DescriptionCVE.org
Pachno 1.0.6 contains an authentication bypass vulnerability in the runSwitchUser() action that allows authenticated low-privilege users to escalate privileges by manipulating the original_username cookie. Attackers can set the client-controlled original_username cookie to any value and request a switch to user ID 1 to obtain session tokens or password hashes belonging to administrator accounts.
AnalysisAI
Privilege escalation in Pachno 1.0.6 allows low-privilege authenticated users to hijack administrator sessions by manipulating the original_username cookie in the runSwitchUser() action, enabling unauthorized access to user ID 1 (admin) session tokens and password hashes. SSVC confirms proof-of-concept exists with partial technical impact, though EPSS indicates low exploitation probability (0.07%, 22nd percentile) and no active exploitation confirmed via CISA KEV.
Technical ContextAI
Pachno is an open-source project management and collaboration platform. This vulnerability (CWE-639: Authorization Bypass Through User-Controlled Key) stems from insufficient validation of client-controlled cookies in the user-switching functionality. The runSwitchUser() action trusts the original_username cookie value provided by the client without proper authentication checks, allowing arbitrary user impersonation. Because session management relies on this unvalidated cookie during privilege transitions, attackers can inject malicious values to hijack high-privilege accounts. The affected product is Pachno version 1.0.6 (CPE: cpe:2.3:a:pancho:pachno:1.0.6), though the CPE wildcard suggests potential impact across multiple 1.x versions pending vendor clarification.
RemediationAI
Upgrade Pachno to a patched version addressing CVE-2026-40043, referencing the official Pachno GitHub repository for release notes confirming this fix (exact patched version number not independently verified in provided intelligence sources). Until patching is feasible, implement compensating controls: disable or restrict access to the runSwitchUser() functionality via web application firewall rules, enforce strict session validation with server-side checks for user privilege transitions, and monitor authentication logs for anomalous user-switching patterns targeting user ID 1. Review existing user accounts for unauthorized privilege escalations that may have occurred since deployment of version 1.0.6. Consult advisories at https://www.vulncheck.com/advisories/pachno-authentication-bypass-via-runswitchuser and https://www.zeroscience.mk/en/vulnerabilities/ZSL-2026-5985.php for additional technical mitigation guidance.
XML External Entity (XXE) injection in Pachno 1.0.6's TextParser helper allows remote unauthenticated attackers to read
Remote code execution in Pachno 1.0.6 allows authenticated users to upload and execute PHP5 scripts via the /uploadfile
Open redirection in Pachno 1.0.6's return_to parameter enables phishing campaigns that harvest user credentials by redir
A vulnerability has been identified in Pachno 1.0.6 allowing an authenticated attacker to execute a cross-site scripting
Pachno 1.0.6 contains a cross-site request forgery vulnerability that allows attackers to perform arbitrary actions in a
Pachno 1.0.6 contains a stored cross-site scripting vulnerability that allows attackers to execute arbitrary HTML and sc
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-22051