CVE-2026-41308
Unauthenticated File Push Creation in Password Pusher
Publication date: 2026-05-08
Last updated on: 2026-05-08
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| password_pusher | password_pusher | to 1.69.3 (exc) |
| password_pusher | password_pusher | to 2.4.2 (exc) |
| pglombardo | passwordpusher | to 1.69.4 (exc) |
| pglombardo | passwordpusher | to 2.4.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-288 | The product requires authentication, but the product has an alternate path or channel that does not require authentication. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-41308 is a security vulnerability in the open source application PasswordPusher that allowed unauthenticated users to create file-type pushes through a JSON API endpoint under certain configurations.
Specifically, the issue was that file upload authentication enforcement was insufficient, permitting file uploads without valid API authentication even when anonymous creation was enabled or disabled.
This bypassed the intended authentication boundary for file push creation, allowing unauthorized file uploads.
The vulnerability was fixed by introducing stricter authentication checks that require valid API token authentication for all file uploads, regardless of anonymous creation settings.
How can this vulnerability impact me? :
This vulnerability could allow unauthorized users to upload files to the PasswordPusher system without authentication.
The impact includes potential unauthorized resource consumption such as storage and bandwidth usage.
While it does not directly compromise data confidentiality, it can affect the integrity and availability of the system by allowing malicious or unwanted file uploads.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability involves unauthenticated creation of file-type pushes through a JSON API endpoint in PasswordPusher. Detection can focus on monitoring API requests that create file pushes without valid authentication tokens.
You can detect potential exploitation by inspecting logs or network traffic for unauthenticated POST requests to the file push creation endpoints, such as the legacy `/p.json` or the newer `/api/v2/pushes` endpoints.
Suggested commands include using network monitoring or log analysis tools to filter for such requests. For example, using `grep` on server logs to find unauthenticated file push creation attempts:
- grep 'POST /p.json' /path/to/access.log | grep -v 'Authorization'
- grep 'POST /api/v2/pushes' /path/to/access.log | grep -v 'Authorization'
Alternatively, using network packet capture tools like tcpdump or Wireshark to filter HTTP POST requests to these endpoints without authentication headers can help identify suspicious activity.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in PasswordPusher allowed unauthenticated users to create file-type pushes through the API, potentially enabling unauthorized file uploads. While this could lead to unauthorized resource consumption such as storage and bandwidth usage, it did not directly impact data confidentiality.
Because the issue could allow unauthorized file uploads, it may pose risks related to data integrity and availability, which are important considerations under standards like GDPR and HIPAA. However, there is no direct indication from the provided information that sensitive personal data confidentiality was compromised.
Organizations using affected versions prior to the patch might face compliance challenges if unauthorized file uploads lead to exposure or misuse of sensitive information, as these regulations require strict controls over access and protection of sensitive data.
The patch enforces authentication for file uploads, helping to restore compliance by ensuring that only authorized users can perform these operations, thereby reducing the risk of unauthorized access or data manipulation.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include upgrading PasswordPusher to versions 1.69.4 or 2.4.2 or later, where the vulnerability has been patched by enforcing authentication for file push creation.
If upgrading is not immediately possible, temporary mitigations include disabling anonymous creation of pushes and restricting file push capabilities to authenticated users only.
Additionally, monitoring for unusual or unauthorized file push creation activity can help detect exploitation attempts while mitigation is in progress.