CVE-2026-26273
Unknown Unknown - Not Provided
Broken Authentication in Known Platform Allows Account Takeover

Publication date: 2026-02-13

Last updated on: 2026-02-18

Assigner: GitHub, Inc.

Description
Known is a social publishing platform. Prior to 1.6.3, a Critical Broken Authentication vulnerability exists in Known 1.6.2 and earlier. The application leaks the password reset token within a hidden HTML input field on the password reset page. This allows any unauthenticated attacker to retrieve the reset token for any user by simply querying the user's email, leading to full Account Takeover (ATO) without requiring access to the victim's email inbox. This vulnerability is fixed in 1.6.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-02-13
Last Modified
2026-02-18
Generated
2026-06-16
AI Q&A
2026-02-14
EPSS Evaluated
2026-06-15
NVD
CVE-2026-26273
EUVD
EUVD-2026-7362
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
withknown known to 1.6.3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
CWE-640 The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Known social publishing platform versions 1.6.2 and earlier. It is a Critical Broken Authentication issue where the password reset token is leaked within a hidden HTML input field on the password reset page.

Because of this, any unauthenticated attacker can retrieve the reset token for any user simply by querying the user's email address. This allows the attacker to take over the victim's account without needing access to their email inbox.

The vulnerability is fixed in version 1.6.3.

Impact Analysis

This vulnerability can lead to a full Account Takeover (ATO) for any user on the Known platform running vulnerable versions.

An attacker can gain unauthorized access to user accounts without needing the victim's email credentials, potentially leading to data theft, impersonation, and unauthorized actions performed on behalf of the victim.

Given the high CVSS score of 9.8, the impact includes complete compromise of confidentiality, integrity, and availability of affected accounts.

Compliance Impact

I don't know

Detection Guidance

This vulnerability can be detected by inspecting the password reset page of the Known social publishing platform (version 1.6.2 and earlier) to see if the password reset token is exposed within a hidden HTML input field.

A practical approach is to perform an HTTP request to the password reset page and analyze the response for the presence of a hidden input field containing the reset token.

For example, you can use the following curl command to fetch the password reset page HTML and then search for hidden input fields:

  • curl -s 'http://target-known-site/password-reset' | grep -i 'input type="hidden"'

If you find a hidden input field that contains a password reset token, this indicates the presence of the vulnerability.

Mitigation Strategies

The immediate and most effective mitigation is to upgrade the Known platform to version 1.6.3 or later, where this vulnerability is fixed.

Until the upgrade can be performed, restrict access to the password reset page to trusted users or implement additional server-side validation to prevent unauthenticated attackers from retrieving reset tokens.

Additionally, monitor for suspicious activity related to password resets and consider resetting all user passwords if compromise is suspected.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-26273. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart