CVE-2026-50635
Deferred Deferred - Pending Action

Password Reset Link Spoofing in LimeSurvey

Publication date: 2026-06-09

Last updated on: 2026-06-09

Assigner: VulnCheck

Description
LimeSurvey constructs account password-reset links from the client-supplied HTTP Host header without validating it. The optional allowedHosts allowlist that would constrain this is undefined in the default (and documented) configuration, so LSHttpRequest::checkIsAllowedHost() results in no operation. A remote, unauthenticated attacker who submits a forgotten-password request for a known account (requiring only the target's username and email) with a spoofed Host header causes LimeSurvey to email that account a reset link whose hostname is attacker-controlled while embedding the genuine validation_key. When the recipient or an automated inbound mail-security link scanner dereferences the link, the valid reset token is disclosed to the attacker, who replays it against the legitimate host's newPassword endpoint to set a new password and take over the account.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-09
Last Modified
2026-06-09
Generated
2026-06-30
AI Q&A
2026-06-09
EPSS Evaluated
2026-06-28
NVD
CVE-2026-50635
EUVD
EUVD-2026-35769

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
limesurvey limesurvey *
limesurvey limesurvey to 8.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-640 The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability in LimeSurvey involves the construction of password reset links using the client-supplied HTTP Host header without proper validation. Because the default configuration does not define an allowedHosts allowlist, the host validation function does not operate effectively.

An unauthenticated remote attacker can submit a forgotten-password request for a known account with a spoofed Host header. This causes LimeSurvey to send a password reset email containing a reset link with a hostname controlled by the attacker but embedding a genuine validation key.

When the victim or an automated mail-security scanner accesses this link, the valid reset token is exposed to the attacker. The attacker can then use this token to reset the password and take over the victim's account.

Impact Analysis

This vulnerability allows a remote, unauthenticated attacker to hijack password reset tokens and take over user accounts in LimeSurvey.

By exploiting the flaw, the attacker can reset the password of a targeted account without authorization, gaining full access to that account.

This can lead to unauthorized access to sensitive survey data, manipulation of survey responses, or misuse of the compromised account for further attacks.

Detection Guidance

Detection of this vulnerability involves monitoring for password reset requests that include suspicious or spoofed HTTP Host headers. Since the vulnerability arises from LimeSurvey constructing password reset links using the client-supplied Host header without validation, network or application logs can be inspected for unusual Host header values in password reset requests.

Commands to detect such activity could include searching web server logs for password reset requests with unexpected Host headers. For example, using grep on Apache or Nginx logs:

  • grep -i 'password-reset' /var/log/apache2/access.log | grep -v 'your-legitimate-hostname'
  • grep 'Host:' /var/log/nginx/access.log | grep -i 'password-reset' | grep -v 'your-legitimate-hostname'

Additionally, monitoring email logs for password reset emails containing unexpected hostnames in the reset links can help detect exploitation attempts.

Mitigation Strategies

Immediate mitigation involves configuring LimeSurvey to validate and restrict allowed Host headers used in password reset links. This can be done by defining an allowedHosts allowlist to constrain which hostnames are accepted.

According to the fix introduced, the system should have a persisted allowed-hosts configuration file that includes the legitimate server hostname. This file is auto-created on the first successful admin login and enforces host validation for all generated absolute URLs.

Other mitigation steps include:

  • Ensure the allowed-hosts configuration file is properly set and maintained.
  • Update LimeSurvey to a version that includes the patch for this vulnerability.
  • Verify that password reset and email workflows fail safely if validated URLs cannot be generated.
  • Monitor admin UI for warnings about missing allowed hosts and address them promptly.
Compliance Impact

The vulnerability in LimeSurvey allows an attacker to hijack password reset tokens by exploiting an unvalidated HTTP Host header, leading to unauthorized account takeover.

Such unauthorized access to user accounts can result in exposure of personal data, which may violate data protection regulations like GDPR and HIPAA that require strict controls on access to personal and sensitive information.

Because LimeSurvey is used by organizations including those in healthcare and public sectors, this vulnerability could lead to non-compliance with these standards if exploited, due to failure to adequately protect user credentials and personal data.

The fix introduced a host allowlist validation system to prevent malicious Host headers, which helps mitigate the risk and supports compliance by ensuring password reset links are securely generated and sent only with trusted hostnames.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-50635. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart