Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Lifecycle Timeline
4DescriptionGitHub Advisory
Password Pusher is an open source application to communicate sensitive information over the web. Prior to versions 1.69.3 and 2.4.2, a security issue in OSS PasswordPusher allowed unauthenticated creation of file-type pushes through a generic JSON API create path under certain configurations. This could bypass the intended authentication boundary for file push creation. This issue has been patched in versions 1.69.3 and 2.4.2.
AnalysisAI
Unauthenticated attackers can create file-type pushes through Password Pusher's JSON API endpoints when the application is configured to allow anonymous pushes, bypassing intended authentication requirements for file uploads. Affected versions prior to 1.69.3 and 2.4.2 permit remote POST requests to /p.json and /api/v2/pushes endpoints with file payloads without valid credentials, allowing unauthorized file storage and potential information disclosure. Vendor-released patches versions 1.69.3 and 2.4.2 enforce mandatory authentication for all file-type push creation regardless of anonymous-push configuration.
Technical ContextAI
Password Pusher is a Rails-based web application designed to securely communicate sensitive information. The vulnerability exists in the API v1 and v2 push creation controllers (app/controllers/api/v1/pushes_controller.rb), where authentication logic was incorrectly gated only by the allow_anonymous configuration setting, failing to distinguish between text-based anonymous pushes and file uploads that should always require authentication. The root cause (CWE-288: Authentication Bypass Using an Alternate Path or Channel) stems from inconsistent authentication enforcement across multiple API endpoints (/p.json for v1, /api/v2/pushes for v2) that share creation logic. The fix introduces a new helper method requires_authentication_for_create? that explicitly checks for file-type pushes via the presence of a 'files' key or explicit 'kind' parameter set to 'file', enforcing authentication prior to Push object instantiation regardless of the allow_anonymous setting.
RemediationAI
Upgrade Password Pusher to version 1.69.3 or 2.4.2 or later immediately; both releases enforce mandatory authentication for file-type push creation. If immediate upgrade is not feasible, set both configuration settings allow_anonymous=false AND enable_file_pushes=false in config/settings.yml until patched - this disables the vulnerable code paths entirely but prevents all anonymous pushes and file uploads. For environments that require anonymous text pushes but must block file uploads, keep enable_file_pushes=false while allowing allow_anonymous=true; this limits exposure to the text-based functionality only. See the official GitHub security advisory at https://github.com/pglombardo/PasswordPusher/security/advisories/GHSA-qfh8-f79c-x86c and patched release tags (v1.69.3, v2.4.2) available at https://github.com/pglombardo/PasswordPusher/releases for deployment instructions and changelog details.
More in Passwordpusher
View allPassphrase brute-force in PasswordPusher before 2.9.2 lets remote attackers who possess a push token recover the passphr
Cross-site scripting via data URI injection in PasswordPusher before 2.8.1 allows unauthenticated attackers to create UR
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-28646