Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L
Unauthenticated network write to config (PR:N, I:H) with minor service disruption (A:L) and no data disclosure (C:N); OIDC dependency treated as a deployment precondition, not added complexity.
Primary rating from Vendor (GitHub_M).
CVSS VectorVendor: GitHub_M
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L
Lifecycle Timeline
3DescriptionCVE.org
Dashy is a self-hostable personal dashboard. Prior to 4.0.8, Dashy deployments using OIDC can allow unauthenticated users or non-admin authenticated users to write changes to the main config.yaml through the config-saving functionality despite configured permissions, allowing unauthorized modification of dashboard configuration and potential service disruption. This issue is fixed in version 4.0.8.
AnalysisAI
Unauthorized configuration write in Dashy self-hosted dashboard (versions prior to 4.0.8) lets unauthenticated users or non-admin authenticated users overwrite the central config.yaml via the config-saving endpoint when the deployment uses OIDC authentication, bypassing configured permission controls. Successful abuse enables tampering with dashboard configuration and potential service disruption. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires the Dashy instance to be deployed with OIDC as the authentication backend and to have the config-saving (write-to-config.yaml) functionality reachable - that specific configuration IS the precondition; instances not using OIDC are not affected by this bypass. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The provided CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:L, base 8.2) describes a network-reachable, low-complexity, unauthenticated integrity attack with no confidentiality loss and limited availability impact - consistent with silently rewriting configuration rather than reading data or executing code. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who can reach an OIDC-configured Dashy instance over the network sends a crafted request to the config-saving functionality without valid admin privileges, and the server accepts the write despite the configured permissions. The attacker overwrites config.yaml - for example injecting altered links/widgets or malformed settings - to disrupt the dashboard or mislead users. … |
| Remediation | Vendor-released patch: upgrade to Dashy 4.0.8, which corrects the permission enforcement on the config-saving path (release: https://github.com/lissy93/dashy/releases/tag/4.0.8; advisory: https://github.com/lissy93/dashy/security/advisories/GHSA-vjj9-fmvr-6h3p). … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Audit your deployed Dashy versions and if running any release prior to 4.0.8, immediately implement network-level access controls restricting unauthenticated traffic to the configuration-saving endpoint. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
A vulnerability classified as critical has been found in Lissy93 Dashy 2.1.1. Rated medium severity (CVSS 4.3), this vul
Reflected XSS in Dashy's workspace view allows a remote attacker to execute arbitrary JavaScript in the victim's browser
Stored XSS via unsanitized `javascript:` URI injection in the Dashy RSS Feed widget (src/components/Widgets/RssFeed.vue)
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44759