Severity by source
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L
Lifecycle Timeline
4DescriptionGitHub Advisory
Scoold is a Q&A and a knowledge sharing platform for teams. Prior to version 1.67.0, Scoold allows the admins configuration value to be modified through /api/config/set/admins with a forged Bearer token that is accepted as an admin API token. Once that setting is changed, the target email address is written to the application configuration file. The change does not become active immediately in the current process, because the ADMINS set is loaded once at startup. After a Scoold restart, though, the selected user is recognized as an administrator and gains access to the admin panel. This issue gives an attacker a reliable persistence path: write their own email into scoold.admins, wait for a restart or trigger one operationally, and the account comes back as admin. This issue has been patched in version 1.67.0.
AnalysisAI
Authentication bypass in Scoold prior to version 1.67.0 allows high-privileged attackers to inject arbitrary administrator email addresses via the /api/config/set/admins endpoint using a forged Bearer token, establishing persistent administrative access after application restart. The vulnerability exploits insufficient token validation in the configuration API, enabling attackers to escalate privileges reliably by injecting their own email into the admin configuration file, which is loaded on startup.
Technical ContextAI
Scoold's configuration API endpoint /api/config/set/admins accepts Bearer token authentication but fails to properly validate token authenticity before processing privileged configuration changes. The underlying issue stems from CWE-306 (Missing Authentication Check), where the API trusts forged tokens as valid administrative credentials. The ADMINS configuration is loaded once at application startup into memory, meaning malicious changes written to the configuration file do not take effect in the current process but persist across restarts. This creates a delayed-effect persistence mechanism where an attacker's injected email address becomes an active administrator account after the next application restart, bypassing normal access control mechanisms.
RemediationAI
Upgrade to Scoold version 1.67.0 or later, which implements security checks in ApiController for proper personal access token validation and authentication handling. The patch is confirmed in the official GitHub release (https://github.com/Erudika/scoold/releases/tag/1.67.0). If immediate patching is not possible, implement network-level access controls to restrict access to the /api/config/set/admins endpoint to internal networks only, implement IP whitelisting for API endpoints, and audit all existing administrator accounts and recent configuration changes to detect unauthorized admin injection. Monitor application logs for suspicious Bearer token usage and config modification attempts. Note that these controls do not prevent attack if the attacker already possesses valid high-privilege API credentials; patching remains the primary mitigation.
Improper handling of Length parameter in GitHub repository erudika/scoold prior to 1.49.4. Rated high severity (CVSS 8.8
Scoold is a Q&A and a knowledge sharing platform for teams. Rated high severity (CVSS 8.7), this vulnerability is remote
Scoold versions prior to 1.66.1 allow authenticated low-privilege users to delete any other user's feedback posts via an
Scoold versions prior to 1.66.2 allow authenticated low-privilege users to overwrite arbitrary existing questions by sub
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-28818