Skip to main content

Password Pusher EUVDEUVD-2026-28646

| CVE-2026-41308 MEDIUM
Authentication Bypass Using an Alternate Path or Channel (CWE-288)
2026-05-08 GitHub_M
6.5
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
Low
Availability
Low

Lifecycle Timeline

4
Patch available
May 08, 2026 - 16:18 EUVD
Source Code Evidence Fetched
May 08, 2026 - 16:17 vuln.today
Analysis Generated
May 08, 2026 - 16:17 vuln.today
CVE Published
May 08, 2026 - 14:30 nvd
MEDIUM 6.5

DescriptionGitHub Advisory

Password Pusher is an open source application to communicate sensitive information over the web. Prior to versions 1.69.3 and 2.4.2, a security issue in OSS PasswordPusher allowed unauthenticated creation of file-type pushes through a generic JSON API create path under certain configurations. This could bypass the intended authentication boundary for file push creation. This issue has been patched in versions 1.69.3 and 2.4.2.

AnalysisAI

Unauthenticated attackers can create file-type pushes through Password Pusher's JSON API endpoints when the application is configured to allow anonymous pushes, bypassing intended authentication requirements for file uploads. Affected versions prior to 1.69.3 and 2.4.2 permit remote POST requests to /p.json and /api/v2/pushes endpoints with file payloads without valid credentials, allowing unauthorized file storage and potential information disclosure. Vendor-released patches versions 1.69.3 and 2.4.2 enforce mandatory authentication for all file-type push creation regardless of anonymous-push configuration.

Technical ContextAI

Password Pusher is a Rails-based web application designed to securely communicate sensitive information. The vulnerability exists in the API v1 and v2 push creation controllers (app/controllers/api/v1/pushes_controller.rb), where authentication logic was incorrectly gated only by the allow_anonymous configuration setting, failing to distinguish between text-based anonymous pushes and file uploads that should always require authentication. The root cause (CWE-288: Authentication Bypass Using an Alternate Path or Channel) stems from inconsistent authentication enforcement across multiple API endpoints (/p.json for v1, /api/v2/pushes for v2) that share creation logic. The fix introduces a new helper method requires_authentication_for_create? that explicitly checks for file-type pushes via the presence of a 'files' key or explicit 'kind' parameter set to 'file', enforcing authentication prior to Push object instantiation regardless of the allow_anonymous setting.

RemediationAI

Upgrade Password Pusher to version 1.69.3 or 2.4.2 or later immediately; both releases enforce mandatory authentication for file-type push creation. If immediate upgrade is not feasible, set both configuration settings allow_anonymous=false AND enable_file_pushes=false in config/settings.yml until patched - this disables the vulnerable code paths entirely but prevents all anonymous pushes and file uploads. For environments that require anonymous text pushes but must block file uploads, keep enable_file_pushes=false while allowing allow_anonymous=true; this limits exposure to the text-based functionality only. See the official GitHub security advisory at https://github.com/pglombardo/PasswordPusher/security/advisories/GHSA-qfh8-f79c-x86c and patched release tags (v1.69.3, v2.4.2) available at https://github.com/pglombardo/PasswordPusher/releases for deployment instructions and changelog details.

Share

EUVD-2026-28646 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy