Skip to main content

LimeSurvey CVE-2026-50635

| EUVD-2026-35769 HIGH
Weak Password Recovery Mechanism for Forgotten Password (CWE-640)
2026-06-09 VulnCheck GHSA-5c37-5j7w-8mh8
Information Disclosure Limesurvey
8.7
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
P
Scope
X

Lifecycle Timeline

3
Source Code Evidence Fetched
Jun 09, 2026 - 18:52 vuln.today
Analysis Generated
Jun 09, 2026 - 18:52 vuln.today
CVSS changed
Jun 09, 2026 - 18:22 NVD
8.8 (HIGH) 8.7 (HIGH)

DescriptionCVE.org

LimeSurvey constructs account password-reset links from the client-supplied HTTP Host header without validating it. The optional allowedHosts allowlist that would constrain this is undefined in the default (and documented) configuration, so LSHttpRequest::checkIsAllowedHost() results in no operation. A remote, unauthenticated attacker who submits a forgotten-password request for a known account (requiring only the target's username and email) with a spoofed Host header causes LimeSurvey to email that account a reset link whose hostname is attacker-controlled while embedding the genuine validation_key. When the recipient or an automated inbound mail-security link scanner dereferences the link, the valid reset token is disclosed to the attacker, who replays it against the legitimate host's newPassword endpoint to set a new password and take over the account.

AnalysisAI

Account takeover in LimeSurvey is possible through host header injection in the forgotten-password workflow, where reset links are built from the client-supplied HTTP Host header without validation. Remote unauthenticated attackers who know a target's username and email can submit a password-reset request with a spoofed Host header, causing LimeSurvey to email the victim a reset link pointing to an attacker-controlled host while still embedding the valid reset token. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts
Continue with Google Continue with GitHub

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Enumerate target username and email
Delivery
Send forgotten-password POST with spoofed Host header
Exploit
LimeSurvey emails reset link to victim with attacker host and valid token
Install
Mail gateway or victim dereferences malicious link
C2
Attacker server logs validation_key
Execute
Replay token against legitimate newPassword endpoint
Impact
Account takeover with password reset
Sign in to reveal

Vulnerability AssessmentAI

Exploitation Exploitation requires that LimeSurvey is deployed with allowedHosts undefined in its config - which is the default and documented state - making the in-product host check a no-op. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H) yields 8.7 and accurately reflects a network-reachable, low-complexity, unauthenticated attack with high confidentiality, integrity, and availability impact on the targeted account, gated by passive user interaction - namely the victim's mail client, mail security gateway, or link-prefetch scanner dereferencing the malicious URL. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has identified a LimeSurvey administrator's username and email (often discoverable from public surveys, organizational pages, or prior breaches) sends a forgotten-password POST to the legitimate LimeSurvey instance with a Host header set to attacker.example. LimeSurvey emails the victim a reset link such as https://attacker.example/admin/authentication/sa/newPassword?param=<valid_token>; when the victim's mail security gateway pre-scans inbound URLs - or the victim clicks the link - the attacker's server captures the genuine validation_key from the request and replays it against the legitimate host to set a new password and take over the administrator account. …
Remediation Upstream fix available (PR/commit); released patched version not independently confirmed - apply the changes from LimeSurvey PR #5032 (https://github.com/LimeSurvey/LimeSurvey/pull/5032) once incorporated into a tagged release, or backport the patch which introduces an application/config/allowed_hosts.php allowlist, an isHostAllowed() enforcement helper, and createValidatedAbsoluteUrl() usage in LimeMailer. … Detailed patch versions, workarounds, and compensating controls in full report.
Sign in to read full assessment

Recommended ActionAI

Within 24 hours: Inventory all LimeSurvey instances and verify current version against vendor advisory. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-50635 vulnerability details – vuln.today
Back

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy