HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-37106Published Modified CNA mitre

CVE-2026-37106: An issue in DokuWiki 2025-05-14b "Librarian" 56

An issue in DokuWiki 2025-05-14b "Librarian" 56.2 allows a remote attacker to create an account via the register function in inc/auth.php. NOTE: this is disputed by the Supplier because this is the intentional behavior when the product is configured for self-registration (a non-default feature).

Metrics

CVSS v3.1
9.8
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An authentication bypass (or unauthorized account creation) vulnerability affects DokuWiki 2025-05-14b "Librarian" 56.2. The issue is reachable over the network with no authentication required and no victim interaction needed, allowing a remote attacker to create arbitrary accounts via the self-registration endpoint in inc/auth.php. Successful exploitation grants the attacker a foothold as a registered user, enabling further access to wiki content, data, and functionality gated behind authentication. Note that the supplier disputes this as a vulnerability, asserting the behavior is intentional when self-registration is enabled, which is a non-default configuration. HarborGuard tracks this advisory and will make a patched-image rebuild available as soon as an upstream fix is published.

HarborGuard Coverage

Detection

Detection for CVE-2026-37106 is available across every HarborGuard environment, with the CVE matched against customer images within minutes of ingestion from upstream advisory feeds, including custom-built images that bundle DokuWiki. Coverage applies to both registry scans and inline CI/CD pipeline checks.

Available
Triage

HarborGuard is capable of scoring this CVE at CVSS 9.8 (Critical) and weighting it against each customer environment's configured compliance policy to prioritize routing. Triage alerts are delivered to the appropriate team inbox within each customer organization based on policy-defined ownership rules.

Available
Patch

Because no fix version has been published for CVE-2026-37106, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment an upstream fix is released. In the interim, customers can apply compensating controls through HarborGuard's network-policy isolation recommendations to restrict access to the self-registration endpoint.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the DokuWiki service over the network; the vulnerable registration endpoint is exposed via HTTP/HTTPS.

  • AuthenticationNot required

    No credentials or existing account are needed; the registration endpoint is accessible to unauthenticated users by design when self-registration is enabled.

  • Victim interactionNot required

    The attacker completes the attack entirely on their own without any action required from a legitimate user or administrator.

  • Attack complexityDetail

    Attack complexity is low, meaning the exploit is reliable and requires no special conditions, race timing, or knowledge of the target environment.

Blast Radius

  • A successful attacker creates a valid authenticated account on the DokuWiki instance, bypassing any access controls that depend on registration being closed.
  • With a registered account, the attacker can read wiki pages and stored content that are restricted to authenticated users, exposing confidential documentation.
  • The attacker can modify or create wiki pages as a registered user, tampering with persisted content and potentially injecting malicious material.
  • Depending on DokuWiki plugin configuration and ACL rules, the attacker may escalate further by exploiting features available only to registered users.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix has been published for CVE-2026-37106, HarborGuard continuously re-evaluates the advisory on every ingest cycle and will surface a patched-image rebuild automatically the moment a fix version is released. In the meantime, HarborGuard can flag all images containing the affected DokuWiki version and surface compensating-control guidance, including network-policy rules to block or restrict public access to the registration endpoint (inc/auth.php register action), egress filtering to limit lateral movement from a compromised instance, and feature-flag configuration notes advising administrators to disable self-registration unless explicitly required. Customers should also review DokuWiki ACL settings to ensure that newly created accounts receive minimal permissions by default. The supplier disputes whether this constitutes a vulnerability outside of self-registration-enabled deployments, so teams should verify their DokuWiki configuration and treat instances with self-registration enabled as the primary exposure surface.

See how HarborGuard automates this
Affected packages
  • n/a / n/a
    n/a
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H