CVE-2026-34408
Deferred Deferred - Pending Action
Password Reset Bypass in Gambio

Publication date: 2026-05-05

Last updated on: 2026-05-06

Assigner: MITRE

Description
An issue was discovered in Gambio 4.9.2.0 (patched in 2024-02 v1.0.0 for GX4 v4.0.0.0 to v4.9.2.0). The password reset function can be bypassed to set arbitrary passwords for arbitrary accounts if the ID is known.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-05
Last Modified
2026-05-06
Generated
2026-06-16
AI Q&A
2026-05-05
EPSS Evaluated
2026-06-15
NVD
CVE-2026-34408
EUVD
EUVD-2026-27323
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
gambio gambio From 4.0.0.0 (exc) to 4.9.2.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-640 The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability in Gambio 4.9.2.0 allows an attacker to bypass the password reset function and set arbitrary passwords for arbitrary accounts if the account ID is known. This weakness in the password recovery mechanism could lead to unauthorized access to user accounts.

Such unauthorized access risks compromising personal and sensitive data, which may impact compliance with data protection regulations like GDPR and HIPAA that require safeguarding user data and ensuring secure authentication mechanisms.

However, the provided information does not explicitly discuss the direct impact on compliance with these standards or any regulatory consequences.

Executive Summary

This vulnerability exists in Gambio version 4.9.2.0 and allows an attacker to bypass the password reset function. If the attacker knows the user ID, they can set arbitrary passwords for arbitrary accounts without authorization.

Impact Analysis

The vulnerability can lead to unauthorized account takeovers because attackers can reset passwords for any account if they know the user ID. This compromises account security and can result in loss of control over user accounts.

Mitigation Strategies

To mitigate this vulnerability, you should apply the security update 2024-02 v1.0 provided by Gambio for GX4 versions from v4.0.0.0 up to v4.9.2.0.

This update patches the password reset function to prevent bypassing and arbitrary password setting for accounts.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-34408. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart