CVE-2025-56449
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-09-29

Last updated on: 2025-10-28

Assigner: MITRE

Description
A security vulnerability was identified in Obsidian Scheduler's REST API 5.0.0 thru 6.3.0. If an account is locked out due to not enrolling in MFA (e.g. after the 7-day enforcement window), the REST API still allows the use of Basic Authentication to authenticate and perform administrative actions. In particular, the default admin account was found to be locked out via the web interface but still usable through the REST API. This allowed creation of a new privileged user, bypassing MFA protections. This undermines the intended security posture of MFA enforcement.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-09-29
Last Modified
2025-10-28
Generated
2026-06-16
AI Q&A
2025-09-29
EPSS Evaluated
2026-06-15
NVD
CVE-2025-56449
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
obsidian_scheduler obsidian_scheduler 5.0.0
obsidian_scheduler obsidian_scheduler 6.3.0
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-290 This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in Obsidian Scheduler's REST API versions 5.0.0 through 6.3.0 allows an attacker to bypass Multi-Factor Authentication (MFA) enforcement. Even if an account is locked out due to not enrolling in MFA after the enforcement window, the REST API still permits Basic Authentication to perform administrative actions. For example, the default admin account could be locked out via the web interface but remained accessible through the REST API, enabling the creation of new privileged users and undermining the intended security of MFA enforcement. [1]

Impact Analysis

This vulnerability can allow unauthorized users to gain administrative access to the Obsidian Scheduler system despite MFA enforcement policies. Attackers could use locked-out accounts to authenticate via the REST API using Basic Authentication, potentially creating new privileged users and compromising the system's security posture. [1]

Detection Guidance

You can detect this vulnerability by checking if locked-out accounts due to MFA enforcement are still able to authenticate via the REST API using Basic Authentication. Specifically, test if the default admin account or other locked accounts can perform administrative actions through the REST API despite being locked out on the web interface. Commands to test this could include using curl to attempt Basic Authentication against the REST API endpoints with locked-out user credentials, for example: curl -u admin:password -X GET https://your-obsidian-server/api/admin or similar REST API calls to verify if access is granted despite account lockout. [1]

Mitigation Strategies

The immediate mitigation step is to upgrade Obsidian Scheduler to version 6.3.1 or later, where this authentication vulnerability has been fixed. This update enforces proper MFA and account lockout restrictions on REST API access, preventing unauthorized administrative actions via Basic Authentication on locked accounts. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-56449. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart