CVE-2026-32602
Received Received - Intake
Race Condition in Homarr User Registration Allows Multiple Accounts

Publication date: 2026-04-06

Last updated on: 2026-04-10

Assigner: GitHub, Inc.

Description
Homarr is an open-source dashboard. Prior to 1.57.0, the user registration endpoint (/api/trpc/user.register) is vulnerable to a race condition that allows an attacker to create multiple user accounts from a single-use invite token. The registration flow performs three sequential database operations without a transaction: CHECK, CREATE, and DELETE. Because these operations are not atomic, concurrent requests can all pass the validation step (1) before any of them reaches the deletion step (3). This allows multiple accounts to be registered using a single invite token that was intended to be single-use. This vulnerability is fixed in 1.57.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-06
Last Modified
2026-04-10
Generated
2026-06-16
AI Q&A
2026-04-06
EPSS Evaluated
2026-06-15
NVD
CVE-2026-32602
EUVD
EUVD-2026-19277
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
homarr homarr to 1.57.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-367 The product checks the state of a resource before using that resource, but the resource's state can change between the check and the use in a way that invalidates the results of the check.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows an attacker to create multiple user accounts from a single-use invite token due to a race condition in the registration process. This can lead to unauthorized access and abuse at scale by enabling multiple rogue accounts.

While the CVE description and resources do not explicitly mention compliance with standards such as GDPR or HIPAA, the unauthorized creation of multiple user accounts could potentially impact compliance by undermining access control and user data integrity requirements common in these regulations.

Specifically, unauthorized account creation may increase the risk of data breaches or misuse of personal data, which are critical concerns under GDPR and HIPAA. Therefore, this vulnerability could negatively affect compliance by weakening controls designed to protect user data and restrict access.

Executive Summary

CVE-2026-32602 is a race condition vulnerability in the Homarr open-source dashboard's user registration endpoint (/api/trpc/user.register) prior to version 1.57.0.

The vulnerability arises because the registration process performs three sequential database operationsβ€”checking the invite token, creating a user, and deleting the invite tokenβ€”without wrapping them in a single atomic transaction.

This allows multiple concurrent registration requests to pass the validation step before the invite token is deleted, enabling an attacker to create multiple user accounts from a single-use invite token that was intended to be used only once.

Impact Analysis

This vulnerability can lead to unauthorized access by allowing an attacker to create multiple fully functional user accounts using a single invite token.

  • Bypass of the single-use restriction on invite tokens.
  • Creation of multiple rogue user accounts that can persist even if some are detected and removed.
  • Potential abuse at scale, as one invite token can be reused multiple times to create many accounts.

The overall impact is moderate with low confidentiality and integrity impact, no availability impact, and requires low privileges but high attack complexity.

Detection Guidance

This vulnerability can be detected by monitoring for multiple user accounts created using the same single-use invite token, which should normally only allow one registration.

One practical approach is to analyze the application logs or database records for concurrent or repeated registrations with the same invite token.

Since the exploit involves sending multiple concurrent requests to the vulnerable endpoint (/api/trpc/user.register), network traffic analysis tools could be used to detect bursts of simultaneous registration attempts.

Suggested commands or methods include:

  • Query the user database to find multiple accounts created with the same invite token.
  • Use log analysis tools (e.g., grep, awk) to search for repeated usage of the same invite token in registration logs.
  • Monitor network traffic for multiple simultaneous POST requests to /api/trpc/user.register endpoint.
  • Example command to find repeated invite tokens in logs: `grep '/api/trpc/user.register' /path/to/logfile | awk '{print $invite_token_field}' | sort | uniq -c | sort -nr`
Mitigation Strategies

The immediate mitigation step is to upgrade the Homarr application to version 1.57.0 or later, where this race condition vulnerability is fixed.

If upgrading immediately is not possible, consider implementing temporary controls such as:

  • Rate limiting or throttling concurrent registration requests to reduce the chance of race conditions.
  • Manually monitoring and invalidating invite tokens after a single use.
  • Reviewing and applying patches or code changes that wrap the CHECK, CREATE, and DELETE operations inside a single database transaction to ensure atomicity.

The root fix involves ensuring the registration flow's database operations are atomic, preventing multiple accounts from being created with a single invite token.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32602. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart