Skip to main content

Kiwi TCMS CVE-2026-49292

LOW
Missing Authorization (CWE-862)
2026-07-02 https://github.com/kiwitcms/Kiwi GHSA-v8rp-6xcv-fwgh

Severity by source

vuln.today AI
5.3 MEDIUM

Network-accessible, unauthenticated endpoint (AV:N, PR:N) with no confidentiality or integrity impact; A:L reflects minor resource consumption from triggering idempotent database operations.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

Lifecycle Timeline

1
Analysis Generated
Jul 02, 2026 - 21:24 vuln.today

DescriptionCVE.org

Kiwi TCMS provides the /init-db/ page as part of its setup mechanism for administrators who prefer a browser instead of the command line. In previous versions of Kiwi TCMS this page still renders and responds to requests even after first use.

Impact

The /init-db/ page does not require any user authentication because it is the first setup operation that needs to be executed in order for Kiwi TCMS to function. Database initialization happens before there are any user accounts available!

While that looks serious at first the /init-db/ page is merely a proxy behind the /Kiwi/manage.py migrate command, which itself is designed to be reentrant. In the case of repeated access to the /init-db/ page after first use the output is:

Running migrations:
  No migrations to apply.

as shown on the screenshots below:

<img width="1911" height="992" alt="2222" src="https://github.com/user-attachments/assets/9f661c71-b305-4380-aadf-0732321b3666" />

<img width="1913" height="1020" alt="3333" src="https://github.com/user-attachments/assets/10f8553e-675d-42be-9adc-cd5613df015c" />

  • There is no data loss because migrations result in a no-op if they are already applied!
  • No application state is altered because all state changes have already been applied!
  • No confidential information revealed because database migrations only report status on migrations which are clearly visible in source code!

Remediation

The /init-db/ page has been modified to short-circuit itself if migrations have already been applied, resulting in a no-op on the webUI layer as well.

AnalysisAI

Kiwi TCMS exposes its /init-db/ database setup endpoint without authentication even after initial setup is complete, allowing any unauthenticated remote actor to invoke the Django migration runner against an already-initialized database. Despite the Authentication Bypass classification (CWE-862), real-world impact is severely limited because the underlying manage.py migrate command is idempotent - once migrations are applied, repeated invocations produce a confirmed no-op with no data loss, no state change, and no information disclosure. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Identify network-accessible Kiwi TCMS instance
Delivery
Send unauthenticated HTTP request to /init-db/
Exploit
Trigger Django manage.py migrate execution
Execution
Receive idempotent no-op response
Impact
Confirm instance is live and initialized

Vulnerability AssessmentAI

Exploitation Any Kiwi TCMS deployment with the /init-db/ URL path reachable over the network is susceptible to unauthenticated access - no authentication, no special configuration, and no specific feature flag is required because the endpoint was designed to function before user accounts exist. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment Real-world risk is materially lower than the 'Authentication Bypass' tag implies. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An unauthenticated attacker who discovers a Kiwi TCMS instance sends an HTTP request to the /init-db/ endpoint after initial setup. The server invokes Django's migrate runner, which determines no pending migrations exist and returns 'No migrations to apply' - the attacker gains confirmation that the system is initialized and running but achieves no persistence, no data access, and no state change. …
Remediation Upgrade Kiwi TCMS to the patched release that modifies the /init-db/ endpoint to short-circuit and return immediately when database migrations have already been applied, making the endpoint a no-op at the web UI layer as well. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-49292 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy