Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionGitHub Advisory
Cronicle is a multi-server task scheduler and runner, with a web based front-end UI. Prior to 0.9.111, jb child processes can include an update_event key in their JSON output. The server applies this directly to the parent event's stored configuration without any authorization check. A low-privilege user who can create and run events can modify any event property, including webhook URLs and notification emails. This vulnerability is fixed in 0.9.111.
AnalysisAI
Cronicle prior to 0.9.111 allows low-privilege authenticated users to modify arbitrary event properties via an authorization bypass in the job child process update mechanism. An attacker with permission to create and run events can inject an update_event key in JSON output that the server applies directly to any event's configuration without authorization checks, enabling modification of webhook URLs, notification emails, and other sensitive event parameters. This vulnerability requires prior authentication and event creation capabilities but represents a significant privilege escalation risk in multi-user Cronicle deployments.
Technical ContextAI
Cronicle is a distributed task scheduler that executes jobs across multiple servers using child processes (referred to as 'jb' processes). The vulnerability stems from insufficient authorization validation in the event update flow (CWE-862: Missing Authorization). When job child processes return JSON output, they can include an update_event key that modifies the parent event's stored configuration. The server processes this update without verifying that the requesting user has authorization to modify the target event. This bypasses the intended access control model where only event creators or administrators should modify event properties. The affected component is the event configuration handling mechanism in the Cronicle scheduler core, as identified by CPE cpe:2.3:a:jhuckaby:cronicle:*:*:*:*:*:*:*:*.
RemediationAI
Vendor-released patch: Cronicle 0.9.111 and later contain fixes for the authorization bypass. Users should immediately upgrade from versions prior to 0.9.111 to version 0.9.111 or the latest available release. The patch adds proper authorization checks to the update_event processing logic to ensure that only authorized users can modify event properties. No interim workarounds are documented; patching is the primary remediation path. Reference the GitHub Security Advisory at https://github.com/jhuckaby/Cronicle/security/advisories/GHSA-5j3v-cq96-xw6v and ENISA EUVD entry EUVD-2026-19925 for detailed guidance.
Same weakness CWE-862 – Missing Authorization
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-19925