CVE-2026-26273
Broken Authentication in Known Platform Allows Account Takeover
Publication date: 2026-02-13
Last updated on: 2026-02-18
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| withknown | known | to 1.6.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-640 | The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak. |
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in the Known social publishing platform versions 1.6.2 and earlier. It is a Critical Broken Authentication issue where the password reset token is leaked within a hidden HTML input field on the password reset page.
Because of this, any unauthenticated attacker can retrieve the reset token for any user simply by querying the user's email address. This allows the attacker to take over the victim's account without needing access to their email inbox.
The vulnerability is fixed in version 1.6.3.
How can this vulnerability impact me? :
This vulnerability can lead to a full Account Takeover (ATO) for any user on the Known platform running vulnerable versions.
An attacker can gain unauthorized access to user accounts without needing the victim's email credentials, potentially leading to data theft, impersonation, and unauthorized actions performed on behalf of the victim.
Given the high CVSS score of 9.8, the impact includes complete compromise of confidentiality, integrity, and availability of affected accounts.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by inspecting the password reset page of the Known social publishing platform (version 1.6.2 and earlier) to see if the password reset token is exposed within a hidden HTML input field.
A practical approach is to perform an HTTP request to the password reset page and analyze the response for the presence of a hidden input field containing the reset token.
For example, you can use the following curl command to fetch the password reset page HTML and then search for hidden input fields:
- curl -s 'http://target-known-site/password-reset' | grep -i 'input type="hidden"'
If you find a hidden input field that contains a password reset token, this indicates the presence of the vulnerability.
What immediate steps should I take to mitigate this vulnerability?
The immediate and most effective mitigation is to upgrade the Known platform to version 1.6.3 or later, where this vulnerability is fixed.
Until the upgrade can be performed, restrict access to the password reset page to trusted users or implement additional server-side validation to prevent unauthenticated attackers from retrieving reset tokens.
Additionally, monitor for suspicious activity related to password resets and consider resetting all user passwords if compromise is suspected.