CVE-2026-50635
Deferred Deferred - Pending Action
BaseFortify

Publication date: 2026-06-09

Last updated on: 2026-06-09

Assigner: VulnCheck

Description
LimeSurvey constructs account password-reset links from the client-supplied HTTP Host header without validating it. The optional allowedHosts allowlist that would constrain this is undefined in the default (and documented) configuration, so LSHttpRequest::checkIsAllowedHost() results in no operation. A remote, unauthenticated attacker who submits a forgotten-password request for a known account (requiring only the target's username and email) with a spoofed Host header causes LimeSurvey to email that account a reset link whose hostname is attacker-controlled while embedding the genuine validation_key. When the recipient or an automated inbound mail-security link scanner dereferences the link, the valid reset token is disclosed to the attacker, who replays it against the legitimate host's newPassword endpoint to set a new password and take over the account.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-09
Last Modified
2026-06-09
Generated
2026-06-10
AI Q&A
2026-06-09
EPSS Evaluated
N/A
NVD
CVE-2026-50635
EUVD
EUVD-2026-35769
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
limesurvey limesurvey *
limesurvey limesurvey to 8.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-640 The product contains a mechanism for users to recover or change their passwords without knowing the original password, but the mechanism is weak.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability in LimeSurvey involves the construction of password reset links using the client-supplied HTTP Host header without proper validation. Because the default configuration does not define an allowedHosts allowlist, the host validation function does not operate effectively.

An unauthenticated remote attacker can submit a forgotten-password request for a known account with a spoofed Host header. This causes LimeSurvey to send a password reset email containing a reset link with a hostname controlled by the attacker but embedding a genuine validation key.

When the victim or an automated mail-security scanner accesses this link, the valid reset token is exposed to the attacker. The attacker can then use this token to reset the password and take over the victim's account.

Impact Analysis

This vulnerability allows a remote, unauthenticated attacker to hijack password reset tokens and take over user accounts in LimeSurvey.

By exploiting the flaw, the attacker can reset the password of a targeted account without authorization, gaining full access to that account.

This can lead to unauthorized access to sensitive survey data, manipulation of survey responses, or misuse of the compromised account for further attacks.

Detection Guidance

Detection of this vulnerability involves monitoring for password reset requests that include suspicious or spoofed HTTP Host headers. Since the vulnerability arises from LimeSurvey constructing password reset links using the client-supplied Host header without validation, network or application logs can be inspected for unusual Host header values in password reset requests.

Commands to detect such activity could include searching web server logs for password reset requests with unexpected Host headers. For example, using grep on Apache or Nginx logs:

  • grep -i 'password-reset' /var/log/apache2/access.log | grep -v 'your-legitimate-hostname'
  • grep 'Host:' /var/log/nginx/access.log | grep -i 'password-reset' | grep -v 'your-legitimate-hostname'

Additionally, monitoring email logs for password reset emails containing unexpected hostnames in the reset links can help detect exploitation attempts.

Mitigation Strategies

Immediate mitigation involves configuring LimeSurvey to validate and restrict allowed Host headers used in password reset links. This can be done by defining an allowedHosts allowlist to constrain which hostnames are accepted.

According to the fix introduced, the system should have a persisted allowed-hosts configuration file that includes the legitimate server hostname. This file is auto-created on the first successful admin login and enforces host validation for all generated absolute URLs.

Other mitigation steps include:

  • Ensure the allowed-hosts configuration file is properly set and maintained.
  • Update LimeSurvey to a version that includes the patch for this vulnerability.
  • Verify that password reset and email workflows fail safely if validated URLs cannot be generated.
  • Monitor admin UI for warnings about missing allowed hosts and address them promptly.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-50635. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart