Skip to main content

Maybe Finance EUVDEUVD-2026-45199

| CVE-2026-63100 HIGH
Missing Authorization (CWE-862)
2026-07-17 VulnCheck
7.1
CVSS 4.0 · Vendor: VulnCheck
Share

Severity by source

Vendor (VulnCheck) PRIMARY
7.1 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
vuln.today AI
8.1 HIGH

Any authenticated low-priv member exploits an unprotected action over the network (PR:L, AC:L, UI:N); reading the API key gives C:H and rewriting global settings gives I:H, with no direct availability loss.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (VulnCheck).

CVSS VectorVendor: VulnCheck

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

2
Analysis Generated
Jul 17, 2026 - 16:17 vuln.today
CVE Published
Jul 17, 2026 - 15:45 cve.org
HIGH 7.1

DescriptionCVE.org

Maybe through 0.6.0 contains a missing authorization vulnerability that allows authenticated low-privilege member-role users to access and modify global hosting settings by exploiting unprotected show and update actions in the Settings::HostingsController, where the before_action ensure_admin filter is applied only to the clear_cache action. Attackers can read the operator's Synth API key rendered in plaintext via a form field value attribute, overwrite it with an attacker-controlled value, toggle public registration settings, and disable email confirmation requirements to disrupt the entire instance.

AnalysisAI

Broken access control in Maybe Finance (self-hosted personal finance app) through 0.6.0 lets any authenticated low-privilege member-role user read and rewrite instance-wide hosting settings because Settings::HostingsController applies the ensure_admin before_action only to clear_cache, leaving show and update exposed. A member can exfiltrate the operator's Synth API key rendered in plaintext in a form field, replace it with an attacker-controlled value, enable open public registration, and disable email-confirmation enforcement to disrupt the instance. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain low-privilege member account
Delivery
Browse to Settings::Hostings show action
Exploit
Read Synth API key from form field
Execution
Submit crafted update request
Persist
Overwrite key and enable open registration
Impact
Disable email confirmation to disrupt instance

Vulnerability AssessmentAI

Exploitation Requires an authenticated low-privilege member-role account on the target Maybe instance (CVSS PR:L, so authenticated but not admin) and network reachability to the app (AV:N). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The supplied CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N, score 7.1) captures network reachability, low complexity, and low-privilege authentication, and rates confidentiality High for the leaked Synth API key - but it scores integrity as VI:N, which understates the flaw because the same update action lets a member overwrite the API key and toggle registration and email-confirmation settings; those are clear integrity impacts, so an independent assessment raises integrity to High. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker registers or is granted a normal member account on a Maybe instance, then browses directly to the hosting settings page where the Synth API key is exposed in plaintext in a form field. Using the public exploit code, they submit an update request that steals or replaces the API key, flips public registration on, and disables email confirmation, degrading the instance and abusing the operator's third-party API quota. …
Remediation No vendor-released patch version is identified in the available data, so track the advisories for current fix status: VulnCheck (https://www.vulncheck.com/advisories/maybe-missing-authorization-via-hostingscontroller-show-update) and the write-up (https://github.com/geo-chen/oss/blob/main/maybe.md); upgrade to a fixed release as soon as maintainers publish one that moves ensure_admin to a controller-wide before_action covering show and update. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: immediately restrict or revoke access for member-role accounts in all affected Maybe Finance instances and rotate the operator's Synth API key to invalidate any exfiltrated credentials. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-45199 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy