CVE-2026-32602
Race Condition in Homarr User Registration Allows Multiple Accounts
Publication date: 2026-04-06
Last updated on: 2026-04-10
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| homarr | homarr | to 1.57.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-367 | The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-32602 is a race condition vulnerability in the Homarr open-source dashboard's user registration endpoint (/api/trpc/user.register) prior to version 1.57.0.
The vulnerability arises because the registration process performs three sequential database operationsβchecking the invite token, creating a user, and deleting the invite tokenβwithout wrapping them in a single atomic transaction.
This allows multiple concurrent registration requests to pass the validation step before the invite token is deleted, enabling an attacker to create multiple user accounts from a single-use invite token that was intended to be used only once.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized access by allowing an attacker to create multiple fully functional user accounts using a single invite token.
- Bypass of the single-use restriction on invite tokens.
- Creation of multiple rogue user accounts that can persist even if some are detected and removed.
- Potential abuse at scale, as one invite token can be reused multiple times to create many accounts.
The overall impact is moderate with low confidentiality and integrity impact, no availability impact, and requires low privileges but high attack complexity.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for multiple user accounts created using the same single-use invite token, which should normally only allow one registration.
One practical approach is to analyze the application logs or database records for concurrent or repeated registrations with the same invite token.
Since the exploit involves sending multiple concurrent requests to the vulnerable endpoint (/api/trpc/user.register), network traffic analysis tools could be used to detect bursts of simultaneous registration attempts.
Suggested commands or methods include:
- Query the user database to find multiple accounts created with the same invite token.
- Use log analysis tools (e.g., grep, awk) to search for repeated usage of the same invite token in registration logs.
- Monitor network traffic for multiple simultaneous POST requests to /api/trpc/user.register endpoint.
- Example command to find repeated invite tokens in logs: `grep '/api/trpc/user.register' /path/to/logfile | awk '{print $invite_token_field}' | sort | uniq -c | sort -nr`
What immediate steps should I take to mitigate this vulnerability?
The immediate mitigation step is to upgrade the Homarr application to version 1.57.0 or later, where this race condition vulnerability is fixed.
If upgrading immediately is not possible, consider implementing temporary controls such as:
- Rate limiting or throttling concurrent registration requests to reduce the chance of race conditions.
- Manually monitoring and invalidating invite tokens after a single use.
- Reviewing and applying patches or code changes that wrap the CHECK, CREATE, and DELETE operations inside a single database transaction to ensure atomicity.
The root fix involves ensuring the registration flow's database operations are atomic, preventing multiple accounts from being created with a single invite token.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows an attacker to create multiple user accounts from a single-use invite token due to a race condition in the registration process. This can lead to unauthorized access and abuse at scale by enabling multiple rogue accounts.
While the CVE description and resources do not explicitly mention compliance with standards such as GDPR or HIPAA, the unauthorized creation of multiple user accounts could potentially impact compliance by undermining access control and user data integrity requirements common in these regulations.
Specifically, unauthorized account creation may increase the risk of data breaches or misuse of personal data, which are critical concerns under GDPR and HIPAA. Therefore, this vulnerability could negatively affect compliance by weakening controls designed to protect user data and restrict access.