CVE-2026-31881

HighPublic PoC

Published: 11 March 2026

Published

11 March 2026

Modified

16 March 2026

KEV Added

—

Patch

—

CVSS Score 7.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L

EPSS Score 0.0046 64.0th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Description

Runtipi is a personal homeserver orchestrator. Prior to 4.8.0, an unauthenticated attacker can reset the operator (admin) password when a password-reset request is active, resulting in full account takeover. The endpoint POST /api/auth/reset-password is exposed without authentication/authorization checks. During the…

15-minute reset window, any remote user can set a new operator password and log in as admin. This vulnerability is fixed in 4.8.0.

Mitigating Controls (NIST 800-53 r5)AI

AC-14 Permitted Actions Without Identification or Authentication good match

prevent

AC-14 identifies and prohibits critical actions like unauthenticated password resets, directly preventing exploitation of the exposed endpoint.

AC-3 Access Enforcement good match

prevent

AC-3 enforces access control policies to block unauthorized requests to the password reset endpoint.

IA-5 Authenticator Management partial match

prevent

IA-5 requires secure management of authenticators, including protections for password reset processes against unauthorized changes.

Security SummaryAI

CVE-2026-31881 is a vulnerability in Runtipi, a personal homeserver orchestrator, affecting versions prior to 4.8.0. It stems from the POST /api/auth/reset-password endpoint being exposed without authentication or authorization checks, allowing an unauthenticated attacker to reset the operator (admin) password when a password-reset request is active. This flaw, classified under CWE-306 (Missing Authentication for Critical Function), enables full account takeover and carries a CVSS v3.1 score of 7.7 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L).

The attack requires a password-reset request to be active, creating a 15-minute window during which any remote, unauthenticated user can exploit the endpoint. By sending a POST request, the attacker can set a new operator password and subsequently log in as admin, achieving complete control over the homeserver orchestrator.

The issue is addressed in Runtipi version 4.8.0. Additional details on the vulnerability and mitigation are available in the GitHub security advisory at https://github.com/runtipi/runtipi/security/advisories/GHSA-96fm-whrc-cwg3.

Details

CWE(s): CWE-306

Affected Products

runtipi

≤ 4.8.0

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

Unauthenticated remote exploitation of a public-facing web API endpoint (POST /api/auth/reset-password) enables admin account takeover, directly mapping to T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/runtipi/runtipi/security/advisories/GHSA-96fm-whrc-cwg3
Exploit, Vendor Advisory · security-advisories@github.com