CVE-2026-45013
Deferred Deferred - Pending Action

Password Reset Token Leak in ApostropheCMS

Vulnerability report for CVE-2026-45013, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-12

Last updated on: 2026-06-15

Assigner: GitHub, Inc.

Description

ApostropheCMS is an open-source Node.js content management system. Versions up to and including 4.29.0 have a password reset flow that constructs the reset URL using `req.hostname`, which is derived directly from the attacker-controlled HTTP `Host` header when `apos.baseUrl` is not explicitly configured. An unauthenticated attacker who knows a victim's email address can send a crafted reset request that causes the application to email the victim a reset link pointing to the attacker's domain. When the victim clicks the link, the valid reset token is delivered to the attacker, enabling full account takeover. As of time of publication, no known patched versions are available.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-12
Last Modified
2026-06-15
Generated
2026-07-03
AI Q&A
2026-06-13
EPSS Evaluated
2026-07-01
NVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
apostrophecms apostrophe to 4.29.0 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.
CWE-640 The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability exists in ApostropheCMS versions up to and including 4.29.0. The password reset flow constructs the reset URL using the hostname from the HTTP Host header, which an attacker can control if the base URL is not explicitly configured. An unauthenticated attacker who knows a victim's email can send a crafted password reset request that causes the victim to receive a reset link pointing to the attacker's domain.

When the victim clicks the malicious reset link, the valid reset token is sent to the attacker, allowing the attacker to take over the victim's account.

Compliance Impact

This vulnerability allows an attacker to perform a full account takeover by intercepting password reset tokens through a crafted reset link sent to victims. Such unauthorized access to user accounts can lead to exposure of personal and sensitive data.

Consequently, this can result in violations of data protection regulations such as GDPR and HIPAA, which mandate strict controls over personal data confidentiality and user authentication mechanisms.

Failure to protect against this vulnerability may lead to non-compliance with these standards due to unauthorized data access and potential data breaches.

Impact Analysis

This vulnerability can lead to full account takeover by an attacker without requiring authentication. The attacker can gain unauthorized access to user accounts by tricking victims into clicking a malicious password reset link.

Such an account compromise can result in loss of sensitive data, unauthorized actions performed on behalf of the victim, and potential further exploitation within the affected system.

Mitigation Strategies

To mitigate this vulnerability, explicitly configure the `apos.baseUrl` setting in ApostropheCMS to ensure the password reset URL is constructed using a trusted domain rather than relying on the HTTP Host header.

Since no patched versions are available as of the publication date, this configuration change is critical to prevent attackers from crafting reset links that point to malicious domains.

Detection Guidance

This vulnerability can be detected by monitoring HTTP requests to the ApostropheCMS password reset endpoint for suspicious or unusual Host header values, especially those differing from the expected trusted domain.

One way to detect potential exploitation attempts is to look for password reset requests where the Host header is set to an unexpected or attacker-controlled domain.

Suggested commands to help detect such activity include using network traffic inspection tools or web server logs to filter requests with unusual Host headers targeting the password reset route.

  • Using grep on web server logs to find password reset requests with suspicious Host headers, for example:
  • grep -i 'password-reset' /var/log/nginx/access.log | grep -v 'your-trusted-domain.com'
  • Using tcpdump or tshark to capture HTTP requests and filter by Host header:
  • tshark -Y 'http.host and http.request.uri contains "password-reset"' -T fields -e http.host -e http.request.uri
  • Review ApostropheCMS application logs for password reset requests where the Host header does not match the configured apos.baseUrl.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45013. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart