Kiwi TCMS CVE-2026-49292
LOWSeverity by source
Network-accessible, unauthenticated endpoint (AV:N, PR:N) with no confidentiality or integrity impact; A:L reflects minor resource consumption from triggering idempotent database operations.
Lifecycle Timeline
1DescriptionCVE.org
Kiwi TCMS provides the /init-db/ page as part of its setup mechanism for administrators who prefer a browser instead of the command line. In previous versions of Kiwi TCMS this page still renders and responds to requests even after first use.
Impact
The /init-db/ page does not require any user authentication because it is the first setup operation that needs to be executed in order for Kiwi TCMS to function. Database initialization happens before there are any user accounts available!
While that looks serious at first the /init-db/ page is merely a proxy behind the /Kiwi/manage.py migrate command, which itself is designed to be reentrant. In the case of repeated access to the /init-db/ page after first use the output is:
Running migrations:
No migrations to apply.as shown on the screenshots below:
<img width="1911" height="992" alt="2222" src="https://github.com/user-attachments/assets/9f661c71-b305-4380-aadf-0732321b3666" />
<img width="1913" height="1020" alt="3333" src="https://github.com/user-attachments/assets/10f8553e-675d-42be-9adc-cd5613df015c" />
- There is no data loss because migrations result in a no-op if they are already applied!
- No application state is altered because all state changes have already been applied!
- No confidential information revealed because database migrations only report status on migrations which are clearly visible in source code!
Remediation
The /init-db/ page has been modified to short-circuit itself if migrations have already been applied, resulting in a no-op on the webUI layer as well.
AnalysisAI
Kiwi TCMS exposes its /init-db/ database setup endpoint without authentication even after initial setup is complete, allowing any unauthenticated remote actor to invoke the Django migration runner against an already-initialized database. Despite the Authentication Bypass classification (CWE-862), real-world impact is severely limited because the underlying manage.py migrate command is idempotent - once migrations are applied, repeated invocations produce a confirmed no-op with no data loss, no state change, and no information disclosure. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Any Kiwi TCMS deployment with the /init-db/ URL path reachable over the network is susceptible to unauthenticated access - no authentication, no special configuration, and no specific feature flag is required because the endpoint was designed to function before user accounts exist. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | Real-world risk is materially lower than the 'Authentication Bypass' tag implies. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An unauthenticated attacker who discovers a Kiwi TCMS instance sends an HTTP request to the /init-db/ endpoint after initial setup. The server invokes Django's migrate runner, which determines no pending migrations exist and returns 'No migrations to apply' - the attacker gains confirmation that the system is initialized and running but achieves no persistence, no data access, and no state change. … |
| Remediation | Upgrade Kiwi TCMS to the patched release that modifies the /init-db/ endpoint to short-circuit and return immediately when database migrations have already been applied, making the endpoint a no-op at the web UI layer as well. … Detailed patch versions, workarounds, and compensating controls in full report. |
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-v8rp-6xcv-fwgh