Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Any authenticated low-priv member exploits an unprotected action over the network (PR:L, AC:L, UI:N); reading the API key gives C:H and rewriting global settings gives I:H, with no direct availability loss.
Primary rating from Vendor (VulnCheck).
CVSS VectorVendor: VulnCheck
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
2DescriptionCVE.org
Maybe through 0.6.0 contains a missing authorization vulnerability that allows authenticated low-privilege member-role users to access and modify global hosting settings by exploiting unprotected show and update actions in the Settings::HostingsController, where the before_action ensure_admin filter is applied only to the clear_cache action. Attackers can read the operator's Synth API key rendered in plaintext via a form field value attribute, overwrite it with an attacker-controlled value, toggle public registration settings, and disable email confirmation requirements to disrupt the entire instance.
AnalysisAI
Broken access control in Maybe Finance (self-hosted personal finance app) through 0.6.0 lets any authenticated low-privilege member-role user read and rewrite instance-wide hosting settings because Settings::HostingsController applies the ensure_admin before_action only to clear_cache, leaving show and update exposed. A member can exfiltrate the operator's Synth API key rendered in plaintext in a form field, replace it with an attacker-controlled value, enable open public registration, and disable email-confirmation enforcement to disrupt the instance. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires an authenticated low-privilege member-role account on the target Maybe instance (CVSS PR:L, so authenticated but not admin) and network reachability to the app (AV:N). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The supplied CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N, score 7.1) captures network reachability, low complexity, and low-privilege authentication, and rates confidentiality High for the leaked Synth API key - but it scores integrity as VI:N, which understates the flaw because the same update action lets a member overwrite the API key and toggle registration and email-confirmation settings; those are clear integrity impacts, so an independent assessment raises integrity to High. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker registers or is granted a normal member account on a Maybe instance, then browses directly to the hosting settings page where the Synth API key is exposed in plaintext in a form field. Using the public exploit code, they submit an update request that steals or replaces the API key, flips public registration on, and disables email confirmation, degrading the instance and abusing the operator's third-party API quota. … |
| Remediation | No vendor-released patch version is identified in the available data, so track the advisories for current fix status: VulnCheck (https://www.vulncheck.com/advisories/maybe-missing-authorization-via-hostingscontroller-show-update) and the write-up (https://github.com/geo-chen/oss/blob/main/maybe.md); upgrade to a fixed release as soon as maintainers publish one that moves ensure_admin to a controller-wide before_action covering show and update. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: immediately restrict or revoke access for member-role accounts in all affected Maybe Finance instances and rotate the operator's Synth API key to invalidate any exfiltrated credentials. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-45199