Skip to main content

Forem EUVDEUVD-2026-37120

| CVE-2026-48780 HIGH
Improper Authentication (CWE-287)
2026-06-16 GitHub_M
8.2
CVSS 3.1 · Vendor: GitHub_M
Share

Severity by source

Vendor (GitHub_M) PRIMARY
8.2 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
vuln.today AI
6.5 MEDIUM

Remote unauthenticated bypass via registration endpoint; impact is unauthorized access to a gated community (limited confidentiality and integrity, no high-value data class guaranteed), no availability impact.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (GitHub_M).

CVSS VectorVendor: GitHub_M

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
Low
Availability
None

Lifecycle Timeline

2
Source Code Evidence Fetched
Jun 16, 2026 - 15:23 vuln.today
Analysis Generated
Jun 16, 2026 - 15:23 vuln.today

DescriptionCVE.org

Forem is open source software for building communities. Prior to commit a2ab6d4, a maliciously crafted email address could allow an attacker to bypass domain allowlist or denylist restrictions and gain access to invite-only forem deployments. The issue is patched as of a2ab6d4. As a workaround, some SMTP servers and email delivery providers may drop or refuse to send maliciously crafted email addresses.

AnalysisAI

Authentication bypass in Forem (prior to commit a2ab6d4) allows remote attackers to circumvent email domain allowlist/denylist controls by submitting RFC 2047 encoded-word email addresses, enabling unauthorized registration on invite-only deployments. The flaw arises because the raw email string passes domain checks while downstream mail decoding resolves it to an attacker-controlled address, with no public exploit identified at time of analysis.

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Recon
Identify invite-only Forem instance with domain allowlist
Delivery
Craft RFC 2047 encoded-word email payload
Exploit
Submit to /users or /magic_links endpoint
Install
Allowlist validates raw domain string
C2
Mail layer decodes to attacker-controlled address
Execute
Receive magic link / confirmation at attacker inbox
Impact
Access gated community as new member

Vulnerability AssessmentAI

Exploitation Exploitation requires the target Forem deployment to enforce registration restrictions via a domain allowlist (Settings::Authentication.allowed_registration_email_domains) or denylist - i.e., invite-only or domain-gated communities; on fully open instances the bypass has no security boundary to defeat. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment CVSS 8.2 (AV:N/AC:L/PR:N/UI:N/C:H/I:L/A:N) reflects network-reachable, unauthenticated, low-complexity exploitation against confidentiality of invite-only communities - a realistic profile for a registration endpoint. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker targeting an invite-only Forem instance that allowlists 'company.com' submits the registration email '=?utf-8?q?test=40attacker.com=3e?=@company.com'; the allowlist check sees the literal domain 'company.com' and accepts it, but the mail subsystem decodes the address toward 'test@attacker.com', so the magic-link or confirmation email is delivered to the attacker's mailbox. The attacker completes account creation and gains access to the gated community. …
Remediation Upstream fix available (commit a2ab6d409d2676eb0711ecbd737192043125b437); released patched version not independently confirmed, so self-hosted operators should rebuild/redeploy Forem from main at or after that commit per https://github.com/forem/forem/commit/a2ab6d409d2676eb0711ecbd737192043125b437 and the advisory at https://github.com/forem/forem/security/advisories/GHSA-3g4h-9h37-mpx6. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Identify all Forem instances in production and audit recent user registrations for suspicious accounts; disable self-service registration if operationally feasible and implement manual account provisioning as interim control. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-37120 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy