Executive Summary

CVE-2026-31881 is a critical vulnerability in Runtipi versions prior to 4.8.0 that allows an unauthenticated attacker to take over the operator (admin) account. This happens because the password reset endpoint (/api/auth/reset-password) does not require authentication or authorization. During a 15-minute password reset window, any remote user can reset the operator password and log in as admin.

The vulnerability exists because the backend does not enforce authentication on the password reset POST request and only checks if the reset request timestamp is valid. When exploited, the attacker can change the admin password, disable two-factor authentication (TOTP), and force logout all legitimate sessions.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can lead to a full account takeover of the operator (admin) account by any unauthenticated attacker during the active password reset window.

• Complete compromise of the admin account.
• Disabling of two-factor authentication, reducing account security.
• Forced logout of all legitimate user sessions, causing denial of access to authorized users.
• Potential unauthorized access to sensitive data and administrative functions.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring the availability and activity of the password reset window on the Runtipi server. Specifically, the GET /auth/reset-password endpoint is unauthenticated and reveals whether the 15-minute password reset window is active.'}, {'type': 'paragraph', 'content': 'To detect if the vulnerability is exploitable on your system, you can send an HTTP GET request to the /auth/reset-password endpoint and check the response to see if a password reset request is currently active.'}, {'type': 'paragraph', 'content': 'If the reset window is active, an unauthenticated POST request to /api/auth/reset-password can reset the operator password, indicating the system is vulnerable.'}, {'type': 'paragraph', 'content': 'Example commands to detect the vulnerability:'}, {'type': 'list_item', 'content': 'Use curl to check if the reset window is active: curl -X GET http://<runtipi-server>/auth/reset-password'}, {'type': 'list_item', 'content': 'If the reset window is active, attempt to reset the password (testing only in a controlled environment): curl -X POST http://<runtipi-server>/api/auth/reset-password -d \'{"password":"newpassword"}\' -H \'Content-Type: application/json\''}] [1]

Useful 0 Not Useful 0

Mitigation Strategies

The immediate mitigation step is to upgrade Runtipi to version 4.8.0 or later, where this vulnerability is fixed.

Until the upgrade can be performed, restrict network access to the Runtipi server, especially blocking unauthenticated access to the /api/auth/reset-password and /auth/reset-password endpoints.

Monitor and disable any active password reset requests promptly to reduce the window of opportunity for attackers.

Consider implementing additional network-level protections such as firewall rules or VPN access to limit exposure.

Useful 0 Not Useful 0