CVE-2026-46485
Deferred
Deferred - Pending Action
Unauthenticated Config Write in Dashy
Vulnerability report for CVE-2026-46485, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-07-15
Last updated on: 2026-07-15
Assigner: GitHub, Inc.
Description
Description
Dashy is a self-hostable personal dashboard. Prior to 4.0.8, Dashy deployments using OIDC can allow unauthenticated users or non-admin authenticated users to write changes to the main config.yaml through the config-saving functionality despite configured permissions, allowing unauthorized modification of dashboard configuration and potential service disruption. This issue is fixed in version 4.0.8.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| lissy93 | dashy | to 4.0.8 (inc) |
| lissy93 | dashy | to 4.0.8 (exc) |
| lissy93 | dashy | to 3.2.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-602 | The product is composed of a server that relies on the client to implement a mechanism that is intended to protect the server. |
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
| CWE-15 | One or more system settings or configuration elements can be externally controlled by a user. |
| CWE-287 | When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. |