Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Remote unauthenticated bypass via registration endpoint; impact is unauthorized access to a gated community (limited confidentiality and integrity, no high-value data class guaranteed), no availability impact.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
Forem is open source software for building communities. Prior to commit a2ab6d4, a maliciously crafted email address could allow an attacker to bypass domain allowlist or denylist restrictions and gain access to invite-only forem deployments. The issue is patched as of a2ab6d4. As a workaround, some SMTP servers and email delivery providers may drop or refuse to send maliciously crafted email addresses.
AnalysisAI
Authentication bypass in Forem (prior to commit a2ab6d4) allows remote attackers to circumvent email domain allowlist/denylist controls by submitting RFC 2047 encoded-word email addresses, enabling unauthorized registration on invite-only deployments. The flaw arises because the raw email string passes domain checks while downstream mail decoding resolves it to an attacker-controlled address, with no public exploit identified at time of analysis.
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires the target Forem deployment to enforce registration restrictions via a domain allowlist (Settings::Authentication.allowed_registration_email_domains) or denylist - i.e., invite-only or domain-gated communities; on fully open instances the bypass has no security boundary to defeat. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | CVSS 8.2 (AV:N/AC:L/PR:N/UI:N/C:H/I:L/A:N) reflects network-reachable, unauthenticated, low-complexity exploitation against confidentiality of invite-only communities - a realistic profile for a registration endpoint. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker targeting an invite-only Forem instance that allowlists 'company.com' submits the registration email '=?utf-8?q?test=40attacker.com=3e?=@company.com'; the allowlist check sees the literal domain 'company.com' and accepts it, but the mail subsystem decodes the address toward 'test@attacker.com', so the magic-link or confirmation email is delivered to the attacker's mailbox. The attacker completes account creation and gains access to the gated community. … |
| Remediation | Upstream fix available (commit a2ab6d409d2676eb0711ecbd737192043125b437); released patched version not independently confirmed, so self-hosted operators should rebuild/redeploy Forem from main at or after that commit per https://github.com/forem/forem/commit/a2ab6d409d2676eb0711ecbd737192043125b437 and the advisory at https://github.com/forem/forem/security/advisories/GHSA-3g4h-9h37-mpx6. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Identify all Forem instances in production and audit recent user registrations for suspicious accounts; disable self-service registration if operationally feasible and implement manual account provisioning as interim control. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-287 – Improper Authentication
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37120