Skip to main content

Cerebrate CVE-2026-53912

| EUVDEUVD-2026-36220 MEDIUM
Information Exposure (CWE-200)
2026-06-11 CIRCL GHSA-88x3-39g9-9frv
5.1
CVSS 4.0 · Vendor: CIRCL
Share

Severity by source

Vendor (CIRCL) PRIMARY
5.1 MEDIUM
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:X/R:X/V:X/RE:X/U:Green
vuln.today AI
2.7 LOW

Network-accessible endpoint but PR:H required for inbox access; hash disclosure yields only low confidentiality impact with no integrity or availability consequence.

3.1 AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N

Primary rating from Vendor (CIRCL).

CVSS VectorVendor: CIRCL

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:N/AU:X/R:X/V:X/RE:X/U:Green
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
N

Lifecycle Timeline

3
Patch available
Jun 11, 2026 - 13:01 EUVD
Source Code Evidence Fetched
Jun 11, 2026 - 11:57 vuln.today
Analysis Generated
Jun 11, 2026 - 11:57 vuln.today

DescriptionCVE.org

Cerebrate before version 1.37 exposed credential material from self-registration requests. The self-registration workflow stored the registrant’s hashed password in the inbox message data payload. This payload was returned unredacted through inbox index and view responses, including HTML, JSON, and CSV outputs, and could also be written unredacted into audit log entries for the inbox message.

An authenticated user with sufficient privileges to access inbox entries or related audit logs could retrieve password hashes associated with pending self-registration requests. Although the exposed value is a password hash rather than a plaintext password, disclosure of password hashes may enable offline password-cracking attempts and could increase risk where users reuse passwords across systems.

Cerebrate 1.37 fixes the issue by redacting sensitive password and authkey fields from inbox display/API output and recursively redacting those fields from JSON values written to audit logs, while leaving the stored registration payload intact for account creation processing.

Affected component: Inbox self-registration request handling and audit logging

Fixed version: Cerebrate 1.37

AnalysisAI

Cerebrate's inbox self-registration workflow exposed bcrypt password hashes of pending registrants to any authenticated user holding inbox or audit log access privileges. The hashed credential appeared unredacted across HTML, JSON, and CSV inbox responses and was also written unredacted into audit log entries, as confirmed by commit 02da6d7 and its accompanying test assertions checking for suppression of the $2y$10$ bcrypt prefix. Exploitation requires PR:H per the CVSS 4.0 vector, no active exploitation is confirmed (not in CISA KEV), and no public exploit code has been identified at time of analysis.

Technical ContextAI

Cerebrate is a CakePHP-based threat intelligence community management platform (CPE: cpe:2.3:a:cerebrate:cerebrate:*:*:*:*:*:*:*:*). Self-registration requests are stored in an Inbox table with a JSON-typed data column that includes the registrant's hashed password and authkey. CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) applies: the InboxController returned entity data directly without filtering, causing the JSON payload - including the bcrypt hash (evidenced by the $2y$10$ prefix asserted in test cases) - to surface in all output formats. The AuditLogBehavior similarly serialized entire changed-field arrays to the audit log without recursively scrubbing nested credential keys. The fix introduced InboxTable::redactSensitiveData() for display/API paths and AuditLogBehavior::redactNestedSensitiveFields() for log paths, leaving the stored payload intact so the account-creation processor can still consume it.

RemediationAI

Upgrade to Cerebrate 1.37, which redacts the password and authkey fields from all inbox display and API output formats (HTML, JSON, CSV) and recursively scrubs those fields from JSON column values written to audit logs. The patch is confirmed via commit 02da6d708d610c8509a1aab3f58f53f0a91d8a04. Prior to patching, restrict inbox and audit log access permissions to the absolute minimum set of privileged accounts, reducing the pool of users who could retrieve exposed hashes; note this does not eliminate the data from existing audit log entries already written. Administrators should also review existing audit logs for any inbox entries containing $2y$10$-prefixed values and consider rotating passwords for affected registrants as a precaution.

CVE-2022-25321 MEDIUM POC
6.1 Feb 18

An issue was discovered in Cerebrate through 1.4. Rated medium severity (CVSS 6.1), this vulnerability is remotely explo

CVE-2023-28883 CRITICAL
9.8 Mar 27

In Cerebrate 1.13, a blind SQL injection exists in the searchAll API endpoint. Rated critical severity (CVSS 9.8), this

CVE-2022-25319 MEDIUM POC
5.3 Feb 18

An issue was discovered in Cerebrate through 1.4. Rated medium severity (CVSS 5.3), this vulnerability is remotely explo

CVE-2023-26468 CRITICAL
9.1 Feb 24

Cerebrate 1.12 does not properly consider organisation_id during creation of API keys. Rated critical severity (CVSS 9.1

CVE-2026-53901 HIGH
8.7 Jun 11

Mass-assignment in Cerebrate before v1.37 lets remote attackers reaching a generic CRUD add endpoint supply a client-con

CVE-2026-53911 MEDIUM
6.3 Jun 11

Unauthorized record modification in Cerebrate before 1.37 allows any authenticated user to overwrite arbitrary records o

CVE-2022-25317 MEDIUM
6.1 Feb 18

An issue was discovered in Cerebrate through 1.4. Rated medium severity (CVSS 6.1), this vulnerability is remotely explo

CVE-2023-41908 MEDIUM
5.3 Sep 05

Cerebrate before 1.15 lacks the Secure attribute for the session cookie. Rated medium severity (CVSS 5.3), this vulnerab

CVE-2022-25320 MEDIUM
5.3 Feb 18

An issue was discovered in Cerebrate through 1.4. Rated medium severity (CVSS 5.3), this vulnerability is remotely explo

CVE-2023-41363 MEDIUM
4.3 Aug 29

In Cerebrate 1.14, a vulnerability in UserSettingsController allows authenticated users to change user settings of other

CVE-2022-25318 MEDIUM
4.3 Feb 18

An issue was discovered in Cerebrate through 1.4. Rated medium severity (CVSS 4.3), this vulnerability is remotely explo

Share

CVE-2026-53912 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy