Skip to main content

Scoold EUVDEUVD-2026-28818

| CVE-2026-42176 MEDIUM
Missing Authentication for Critical Function (CWE-306)
2026-05-08 GitHub_M
6.7
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
6.7 MEDIUM
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
Low

Lifecycle Timeline

4
Patch available
May 08, 2026 - 21:03 EUVD
Source Code Evidence Fetched
May 08, 2026 - 20:01 vuln.today
Analysis Generated
May 08, 2026 - 20:01 vuln.today
CVE Published
May 08, 2026 - 19:16 nvd
MEDIUM 6.7

DescriptionGitHub Advisory

Scoold is a Q&A and a knowledge sharing platform for teams. Prior to version 1.67.0, Scoold allows the admins configuration value to be modified through /api/config/set/admins with a forged Bearer token that is accepted as an admin API token. Once that setting is changed, the target email address is written to the application configuration file. The change does not become active immediately in the current process, because the ADMINS set is loaded once at startup. After a Scoold restart, though, the selected user is recognized as an administrator and gains access to the admin panel. This issue gives an attacker a reliable persistence path: write their own email into scoold.admins, wait for a restart or trigger one operationally, and the account comes back as admin. This issue has been patched in version 1.67.0.

AnalysisAI

Authentication bypass in Scoold prior to version 1.67.0 allows high-privileged attackers to inject arbitrary administrator email addresses via the /api/config/set/admins endpoint using a forged Bearer token, establishing persistent administrative access after application restart. The vulnerability exploits insufficient token validation in the configuration API, enabling attackers to escalate privileges reliably by injecting their own email into the admin configuration file, which is loaded on startup.

Technical ContextAI

Scoold's configuration API endpoint /api/config/set/admins accepts Bearer token authentication but fails to properly validate token authenticity before processing privileged configuration changes. The underlying issue stems from CWE-306 (Missing Authentication Check), where the API trusts forged tokens as valid administrative credentials. The ADMINS configuration is loaded once at application startup into memory, meaning malicious changes written to the configuration file do not take effect in the current process but persist across restarts. This creates a delayed-effect persistence mechanism where an attacker's injected email address becomes an active administrator account after the next application restart, bypassing normal access control mechanisms.

RemediationAI

Upgrade to Scoold version 1.67.0 or later, which implements security checks in ApiController for proper personal access token validation and authentication handling. The patch is confirmed in the official GitHub release (https://github.com/Erudika/scoold/releases/tag/1.67.0). If immediate patching is not possible, implement network-level access controls to restrict access to the /api/config/set/admins endpoint to internal networks only, implement IP whitelisting for API endpoints, and audit all existing administrator accounts and recent configuration changes to detect unauthorized admin injection. Monitor application logs for suspicious Bearer token usage and config modification attempts. Note that these controls do not prevent attack if the attacker already possesses valid high-privilege API credentials; patching remains the primary mitigation.

Share

EUVD-2026-28818 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy