CVE-2026-31881
Unauthenticated Password Reset in Runtipi Enables Admin Takeover
Publication date: 2026-03-11
Last updated on: 2026-03-16
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| runtipi | runtipi | to 4.8.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-306 | The product does not perform any authentication for functionality that requires a provable user identity or consumes a significant amount of resources. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-31881 is a critical vulnerability in Runtipi versions prior to 4.8.0 that allows an unauthenticated attacker to take over the operator (admin) account. This happens because the password reset endpoint (/api/auth/reset-password) does not require authentication or authorization. During a 15-minute password reset window, any remote user can reset the operator password and log in as admin.
The vulnerability exists because the backend does not enforce authentication on the password reset POST request and only checks if the reset request timestamp is valid. When exploited, the attacker can change the admin password, disable two-factor authentication (TOTP), and force logout all legitimate sessions.
How can this vulnerability impact me? :
This vulnerability can lead to a full account takeover of the operator (admin) account by any unauthenticated attacker during the active password reset window.
- Complete compromise of the admin account.
- Disabling of two-factor authentication, reducing account security.
- Forced logout of all legitimate user sessions, causing denial of access to authorized users.
- Potential unauthorized access to sensitive data and administrative functions.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring the availability and activity of the password reset window on the Runtipi server. Specifically, the GET /auth/reset-password endpoint is unauthenticated and reveals whether the 15-minute password reset window is active.'}, {'type': 'paragraph', 'content': 'To detect if the vulnerability is exploitable on your system, you can send an HTTP GET request to the /auth/reset-password endpoint and check the response to see if a password reset request is currently active.'}, {'type': 'paragraph', 'content': 'If the reset window is active, an unauthenticated POST request to /api/auth/reset-password can reset the operator password, indicating the system is vulnerable.'}, {'type': 'paragraph', 'content': 'Example commands to detect the vulnerability:'}, {'type': 'list_item', 'content': 'Use curl to check if the reset window is active: curl -X GET http://<runtipi-server>/auth/reset-password'}, {'type': 'list_item', 'content': 'If the reset window is active, attempt to reset the password (testing only in a controlled environment): curl -X POST http://<runtipi-server>/api/auth/reset-password -d \'{"password":"newpassword"}\' -H \'Content-Type: application/json\''}] [1]
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade Runtipi to version 4.8.0 or later, where this vulnerability is fixed.
Until the upgrade can be performed, restrict network access to the Runtipi server, especially blocking unauthenticated access to the /api/auth/reset-password and /auth/reset-password endpoints.
Monitor and disable any active password reset requests promptly to reduce the window of opportunity for attackers.
Consider implementing additional network-level protections such as firewall rules or VPN access to limit exposure.