Skip to main content

Cronmaster EUVDEUVD-2026-17971

| CVE-2026-34072 HIGH
Improper Authentication (CWE-287)
2026-04-01 GitHub_M
8.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
8.3 HIGH
AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
Low

Lifecycle Timeline

3
EUVD ID Assigned
Apr 01, 2026 - 17:30 euvd
EUVD-2026-17971
Analysis Generated
Apr 01, 2026 - 17:30 vuln.today
CVE Published
Apr 01, 2026 - 16:51 nvd
HIGH 8.3

DescriptionGitHub Advisory

Cr*nMaster (cronmaster) is a Cronjob management UI with human readable syntax, live logging and log history for cronjobs. Prior to version 2.2.0, an authentication bypass in middleware allows unauthenticated requests with an invalid session cookie to be treated as authenticated when the middleware’s session-validation fetch fails. This can result in unauthorized access to protected pages and unauthorized execution of privileged Next.js Server Actions. This issue has been patched in version 2.2.0.

AnalysisAI

Authentication bypass in CronMaster versions prior to 2.2.0 allows adjacent network attackers to gain unauthorized administrative access without credentials. When session validation requests fail, the middleware incorrectly treats invalid session cookies as authenticated, enabling execution of privileged Next.js Server Actions and access to protected administrative pages. EPSS data not available for this recent CVE; no public exploit identified at time of analysis, though exploitation complexity is low once network access is achieved.

Technical ContextAI

CronMaster is a web-based cronjob management interface built on Next.js that provides scheduled task administration with logging capabilities. This vulnerability stems from CWE-287 (Improper Authentication) in the application's authentication middleware layer. The flaw occurs in the session validation logic where failed fetch requests to verify session cookies result in a fail-open behavior rather than fail-closed. In Next.js Server Actions architecture, middleware authentication failures should deny access by default, but this implementation allows requests to proceed when the validation mechanism itself encounters errors (network timeouts, service unavailability, exception handling failures). The affected component is cpe:2.3:a:fccview:cronmaster prior to version 2.2.0, specifically the middleware responsible for protecting both page routes and server-side API actions that control cronjob execution and configuration.

RemediationAI

Organizations should immediately upgrade CronMaster to version 2.2.0 or later, which contains a patch addressing the authentication middleware fail-open behavior. The patched release is available at https://github.com/fccview/cronmaster/releases/tag/2.2.0. Until patching is complete, implement network-level controls to restrict access to CronMaster instances to only trusted network segments, eliminating adjacent network attack opportunities. Review access logs for any suspicious activity patterns such as requests with malformed or invalid session cookies that received successful responses. As an additional defense-in-depth measure, ensure session validation backend services have proper redundancy and monitoring to prevent validation failures that could trigger the vulnerable code path. Consult the GitHub security advisory at https://github.com/fccview/cronmaster/security/advisories/GHSA-9whh-mffv-xvh6 for additional vendor-recommended hardening guidance.

Share

EUVD-2026-17971 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy