What is the CVSS score of EUVD-2026-19277?

EUVD-2026-19277 has a CVSS 3.1 base score of 4.2 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N. EPSS exploitation probability: 0.0%.

Is there a patch available for EUVD-2026-19277?

Yes, a patch is available for EUVD-2026-19277. Update the affected software to the latest version immediately.

Homarr EUVD-2026-19277

| CVE-2026-32602 MEDIUM

Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367)

2026-04-06 security-advisories@github.com

Information Disclosure Homarr

4.2

CVSS 3.1 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

4.2 MEDIUM

AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

Attack Vector

Network

Attack Complexity

High

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

Low

Availability

None

Lifecycle Timeline

Patch available

Apr 16, 2026 - 05:29 EUVD

1.57.0

EUVD ID Assigned

Apr 06, 2026 - 15:22 euvd

EUVD-2026-19277

Analysis Generated

Apr 06, 2026 - 15:22 vuln.today

CVE Published

Apr 06, 2026 - 15:17 nvd

MEDIUM 4.2

DescriptionGitHub Advisory

Homarr is an open-source dashboard. Prior to 1.57.0, the user registration endpoint (/api/trpc/user.register) is vulnerable to a race condition that allows an attacker to create multiple user accounts from a single-use invite token. The registration flow performs three sequential database operations without a transaction: CHECK, CREATE, and DELETE. Because these operations are not atomic, concurrent requests can all pass the validation step (1) before any of them reaches the deletion step (3). This allows multiple accounts to be registered using a single invite token that was intended to be single-use. This vulnerability is fixed in 1.57.0.

AnalysisAI

Homarr prior to version 1.57.0 contains a race condition in the user registration endpoint that allows authenticated attackers to bypass single-use invite token restrictions and create multiple user accounts with a single token. The vulnerability stems from non-atomic database operations (CHECK, CREATE, DELETE) that can be exploited through concurrent requests, enabling unauthorized account creation on instances with restrictive registration policies. …

Unlock full vulnerability intelligence

Risk assessment & exploitation conditions
Attack chain visualization
Remediation with exact patch versions
Threat intelligence from 22 sources
Personal watchlist & email alerts

Continue with Google Continue with GitHub

Free forever · No credit card required

Vulnerability AssessmentAI

Risk Assessment	Despite the moderate CVSS score of 4.2, this vulnerability presents a meaningful real-world risk for Homarr deployments that rely on invite tokens as a security boundary. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario	An attacker with a single legitimate invitation token to a Homarr instance could use a concurrent request tool or custom script to submit multiple registration requests simultaneously, all using the same token. Because the CHECK and CREATE operations complete before the DELETE operation is executed across all concurrent requests, each request passes validation and creates a user account. …
Remediation	Upgrade Homarr to version 1.57.0 or later, which patches the race condition by implementing atomic database transactions for the user registration flow. … Detailed patch versions, workarounds, and compensating controls in full report.

Threat intelligence, references, and detailed analysis are available after sign-in.

EUVD-2026-19277 vulnerability details – vuln.today

Back