CVE-2026-53912
Deferred Deferred - Pending Action
Password Hash Exposure in Cerebrate Inbox

Publication date: 2026-06-11

Last updated on: 2026-06-11

Assigner: 5a6e4751-2f3f-4070-9419-94fb35b644e8

Description
Cerebrate before version 1.37 exposed credential material from self-registration requests. The self-registration workflow stored the registrant’s hashed password in the inbox message data payload. This payload was returned unredacted through inbox index and view responses, including HTML, JSON, and CSV outputs, and could also be written unredacted into audit log entries for the inbox message. An authenticated user with sufficient privileges to access inbox entries or related audit logs could retrieve password hashes associated with pending self-registration requests. Although the exposed value is a password hash rather than a plaintext password, disclosure of password hashes may enable offline password-cracking attempts and could increase risk where users reuse passwords across systems. Cerebrate 1.37 fixes the issue by redacting sensitive password and authkey fields from inbox display/API output and recursively redacting those fields from JSON values written to audit logs, while leaving the stored registration payload intact for account creation processing. Affected component: Inbox self-registration request handling and audit logging Fixed version: Cerebrate 1.37
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-11
Last Modified
2026-06-11
Generated
2026-06-11
AI Q&A
2026-06-11
EPSS Evaluated
N/A
NVD
CVE-2026-53912
EUVD
EUVD-2026-36220
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

Cerebrate before version 1.37 had a vulnerability where credential material from self-registration requests was exposed. Specifically, the self-registration workflow stored the registrant’s hashed password in the inbox message data payload. This hashed password was returned unredacted in inbox index and view responses, including HTML, JSON, and CSV outputs, and could also appear unredacted in audit log entries.

An authenticated user with sufficient privileges to access inbox entries or related audit logs could retrieve these password hashes. Although the exposed data were password hashes rather than plaintext passwords, this exposure could enable offline password-cracking attempts, especially if users reuse passwords across different systems.

The issue was fixed in Cerebrate version 1.37 by redacting sensitive password and authentication key fields from inbox display and API output, as well as recursively redacting those fields from JSON values written to audit logs, while still preserving the stored registration payload for account creation processing.

Impact Analysis

This vulnerability can impact you by exposing hashed passwords from self-registration requests to authenticated users with access to inbox entries or audit logs. While the passwords are hashed, attackers could attempt offline password cracking to recover the original passwords.

If users reuse passwords across multiple systems, the exposure of these hashes increases the risk of unauthorized access to other accounts or systems beyond Cerebrate.

Mitigation Strategies

The vulnerability is fixed in Cerebrate version 1.37 by redacting sensitive password and authkey fields from inbox display and API output, as well as from audit logs.

Therefore, the immediate step to mitigate this vulnerability is to upgrade Cerebrate to version 1.37 or later.

Compliance Impact

The vulnerability exposes hashed password material through inbox messages and audit logs, which could lead to offline password-cracking attempts if accessed by unauthorized users with sufficient privileges.

While the exposed data is hashed rather than plaintext, the disclosure of such sensitive authentication information may increase the risk of unauthorized access, especially if users reuse passwords across systems.

This exposure could potentially impact compliance with standards like GDPR and HIPAA, which require protection of personal and authentication data to prevent unauthorized disclosure and ensure data confidentiality.

The issue was fixed in Cerebrate version 1.37 by redacting sensitive password and authentication key fields from inbox displays, API outputs, and audit logs, thereby reducing the risk of non-compliance.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-53912. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart