CVE-2026-45013
Received Received - Intake
Password Reset Token Leak in ApostropheCMS

Publication date: 2026-06-12

Last updated on: 2026-06-12

Assigner: GitHub, Inc.

Description
ApostropheCMS is an open-source Node.js content management system. Versions up to and including 4.29.0 have a password reset flow that constructs the reset URL using `req.hostname`, which is derived directly from the attacker-controlled HTTP `Host` header when `apos.baseUrl` is not explicitly configured. An unauthenticated attacker who knows a victim's email address can send a crafted reset request that causes the application to email the victim a reset link pointing to the attacker's domain. When the victim clicks the link, the valid reset token is delivered to the attacker, enabling full account takeover. As of time of publication, no known patched versions are available.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-12
Last Modified
2026-06-12
Generated
2026-06-13
AI Q&A
2026-06-13
EPSS Evaluated
N/A
NVD
CVE-2026-45013
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
apostrophecms apostrophe to 4.29.0 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
CWE-640 The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in ApostropheCMS versions up to and including 4.29.0. The password reset flow constructs the reset URL using the hostname from the HTTP Host header, which an attacker can control if the base URL is not explicitly configured. An unauthenticated attacker who knows a victim's email can send a crafted password reset request that causes the victim to receive a reset link pointing to the attacker's domain.

When the victim clicks the malicious reset link, the valid reset token is sent to the attacker, allowing the attacker to take over the victim's account.

Impact Analysis

This vulnerability can lead to full account takeover by an attacker without requiring authentication. The attacker can gain unauthorized access to user accounts by tricking victims into clicking a malicious password reset link.

Such an account compromise can result in loss of sensitive data, unauthorized actions performed on behalf of the victim, and potential further exploitation within the affected system.

Mitigation Strategies

To mitigate this vulnerability, explicitly configure the `apos.baseUrl` setting in ApostropheCMS to ensure the password reset URL is constructed using a trusted domain rather than relying on the HTTP Host header.

Since no patched versions are available as of the publication date, this configuration change is critical to prevent attackers from crafting reset links that point to malicious domains.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45013. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart