Skip to main content

ApostropheCMS CVE-2026-45013

| EUVDEUVD-2026-36571 HIGH
Improper Input Validation (CWE-20)
2026-05-14 https://github.com/apostrophecms/apostrophe GHSA-gf43-24g3-5hw2
8.1
CVSS 3.1 · Vendor: https://github.com/apostrophecms/apostrophe
Share

Severity by source

Vendor (https://github.com/apostrophecms/apostrophe) PRIMARY
8.1 HIGH
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N

Primary rating from Vendor (https://github.com/apostrophecms/apostrophe) · only source for this CVE.

CVSS VectorVendor: https://github.com/apostrophecms/apostrophe

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
Required
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

3
Source Code Evidence Fetched
May 14, 2026 - 19:02 vuln.today
Analysis Generated
May 14, 2026 - 19:02 vuln.today
CVE Published
May 14, 2026 - 18:27 nvd
HIGH 8.1

DescriptionCVE.org

Summary

ApostropheCMS's password reset flow constructs the reset URL using req.hostname, which is derived directly from the attacker-controlled HTTP Host header when apos.baseUrl is not explicitly configured. An unauthenticated attacker who knows a victim's email address can send a crafted reset request that causes the application to email the victim a reset link pointing to the attacker's domain. When the victim clicks the link, the valid reset token is delivered to the attacker, enabling full account takeover.

Affected Component

modules/@apostrophecms/login/index.js - resetRequest route Precondition: passwordReset: true is set and apos.baseUrl is not configured.

Vulnerability Details

The setPrefixUrls middleware (i18n layer) builds req.baseUrl using req.hostname:

js
// Simplified from i18n middleware
req.baseUrl = `${req.protocol}://${req.hostname}`;
req.absoluteUrl = req.baseUrl + req.url;

The resetRequest handler then passes this tainted value directly into URL construction:

js
const parsed = new URL(
  req.absoluteUrl,           // ← tainted by attacker's Host header
  self.apos.baseUrl
    ? undefined
    : `${req.protocol}://${req.hostname}${port}`  // ← also tainted
);
parsed.pathname = '/login';
parsed.searchParams.append('reset', reset);   // real, valid token
parsed.searchParams.append('email', user.email);
await self.email(..., { url: parsed.toString() }, ...);
// Email sent to victim with URL pointing to attacker-controlled domain

When apos.baseUrl is configured, it is used unconditionally and the attacker's Host header is ignored - that path is not vulnerable.

Attack Scenario

  1. Attacker identifies a valid user email (e.g. from the site's public interface).
  2. Attacker sends:
   POST /api/v1/login/reset-request
   Host: evil.attacker.com
   Content-Type: application/json

   {"email": "victim@example.com"}
  1. The application emails the victim:
   Click here to reset your password:
   http://evil.attacker.com/login?reset=TOKEN&email=victim@example.com
  1. Victim clicks the link; attacker's server captures TOKEN.
  2. Attacker calls the real target's reset endpoint with the captured token and

sets a new password - full account takeover.

Preconditions

  • passwordReset: true configured in login module options (opt-in)
  • apos.baseUrl is not set (common in development and some production deployments)
  • Attacker knows or can enumerate a valid account email

Impact

Full account takeover of any account whose email address is known to the attacker. No authentication or interaction beyond sending a single HTTP request is required from the attacker. The victim need only click a link in a legitimate-looking password reset email from their own site.

Remediation

Operators (immediate): Always set apos.baseUrl in your configuration:

js
// app.js or module configuration
modules: {
  '@apostrophecms/express': {
    options: {
      baseUrl: 'https://yourdomain.com'
    }
  }
}

Framework fix (recommended): The resetRequest route should refuse to proceed if apos.baseUrl is not configured, rather than falling back to the tainted req.hostname. Example:

js
// In resetRequest handler
if (!self.apos.baseUrl) {
  throw self.apos.error(
    'invalid',
    'apos.baseUrl must be configured to enable password reset'
  );
}
const parsed = new URL(self.loginUrl(), self.apos.baseUrl);

This eliminates the attacker-controlled input entirely from the URL construction path.

References

AnalysisAI

Account takeover in ApostropheCMS password reset flow allows remote attackers to steal password reset tokens via Host header injection. When apos.baseUrl is not configured (common in development and some production deployments), the password reset mechanism trusts the attacker-controlled HTTP Host header to construct reset URLs, causing victims to receive legitimate reset emails with links pointing to attacker domains. Clicking the link delivers valid reset tokens to the attacker, enabling full account compromise. CVSS 8.1 (High) with network attack vector, low complexity, and no privileges required. No public exploit identified at time of analysis, though the vulnerability is straightforward to exploit given the detailed technical disclosure in the GitHub security advisory.

Technical ContextAI

The vulnerability exists in the password reset flow of ApostropheCMS's login module (modules/@apostrophecms/login/index.js). The root cause is improper input validation (CWE-20) and weak password recovery mechanism design (CWE-640). When the apos.baseUrl configuration option is not set, the setPrefixUrls middleware constructs req.baseUrl and req.absoluteUrl using req.hostname, which Node.js/Express derives directly from the HTTP Host header without validation. The resetRequest route handler then uses this tainted value as the base URL for password reset links sent via email. The code constructs URLs using 'new URL(req.absoluteUrl, fallback)' where both parameters can be attacker-controlled when baseUrl is missing. This is a classic Host header injection vulnerability affecting web frameworks that trust client-supplied headers for URL construction. The vulnerability affects npm package 'apostrophe' versions up to and including 4.29.0 according to CPE data.

RemediationAI

No vendor-released patch identified at time of analysis - affected versions through 4.29.0 remain vulnerable per GitHub advisory. Immediate mitigation requires configuration change rather than upgrade: operators must explicitly set apos.baseUrl in their ApostropheCMS configuration to prevent the application from trusting the Host header. Add to app.js or module configuration: modules: { '@apostrophecms/express': { options: { baseUrl: 'https://yourdomain.com' } } }. Replace 'https://yourdomain.com' with the canonical production domain. This configuration change completely eliminates attacker control over reset URL construction by forcing the application to use the hardcoded baseUrl value. As a defense-in-depth measure, organizations can also disable password reset functionality if not required by setting passwordReset: false in login module options, though this impacts legitimate user password recovery. Monitor the GitHub advisory at https://github.com/apostrophecms/apostrophe/security/advisories/GHSA-gf43-24g3-5hw2 and https://github.com/advisories/GHSA-gf43-24g3-5hw2 for vendor patch releases. The advisory recommends a code-level fix where resetRequest refuses to proceed when apos.baseUrl is missing, which would eliminate the vulnerability at the framework level.

Share

CVE-2026-45013 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy