Skip to main content

Penpot CVE-2026-44986

| EUVDEUVD-2026-44699 CRITICAL
Improper Authentication (CWE-287)
2026-07-15 GitHub_M
9.9
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
9.9 CRITICAL
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Primary rating from Vendor (GitHub_M) · only source for this CVE.

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

4
Patch available
Jul 15, 2026 - 17:48 EUVD
Source Code Evidence Fetched
Jul 15, 2026 - 15:49 vuln.today
Analysis Generated
Jul 15, 2026 - 15:49 vuln.today
CVE Published
Jul 15, 2026 - 15:08 cve.org
CRITICAL 9.9

DescriptionCVE.org

Penpot is an open-source design tool for design and code collaboration. Prior to 2.14.5, Penpot exposed teams_invitations.clj invitation tokens from create-team-invitations, embedded an existing profile id in auth.clj prepare-register-profile, and had auth.clj register-profile issue a session based on the invitation email match without password verification, allowing a registered user to take over any non-blocked profile. This issue is fixed in version 2.14.5.

AnalysisAI

Account takeover in Penpot before 2.14.5 allows an authenticated registered user to hijack any non-blocked profile without knowing its password. The flaw chains three defects: create-team-invitations leaks invitation tokens, prepare-register-profile embeds an existing profile's id into the prepared-register JWE, and register-profile then mints a session on an invitation email match while skipping password verification (CWE-287). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Recommended ActionAI

Within 24 hours: Inventory all Penpot instances and verify their versions; contact Penpot support for patch status and timeline. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-44986 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy