HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-45013Published Modified CNA GitHub_M

CVE-2026-45013: Apostrophe has a Weak Password Recovery Mechanism for Forgotten Password and Improper Input Validation

ApostropheCMS is an open-source Node.js content management system. Versions up to and including 4.29.0 have a password reset flow that constructs the reset URL using `req.hostname`, which is derived directly from the attacker-controlled HTTP `Host` header when `apos.baseUrl` is not explicitly configured. An unauthenticated attacker who knows a victim's email address can send a crafted reset request that causes the application to email the victim a reset link pointing to the attacker's domain. When the victim clicks the link, the valid reset token is delivered to the attacker, enabling full account takeover. As of time of publication, no known patched versions are available.

Metrics

CVSS v3.1
8.1
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is a weak password reset mechanism (Host header injection) in ApostropheCMS, an open-source Node.js content management system, affecting all versions up to and including 4.29.0. The vulnerability is reachable over the network with no authentication required, but it does require the victim to click a malicious password reset link delivered to their inbox. Successful exploitation gives the attacker the victim's valid reset token, enabling full account takeover. HarborGuard is tracking the upstream advisory and will make a patched-image rebuild available the moment a fix version is published.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in connected registries and CI/CD pipelines, including custom-built images that bundle ApostropheCMS. Any image containing an affected version (apostrophe <= 4.29.0) is flagged automatically.

Available
Triage

HarborGuard scores this finding at CVSS 8.1 (HIGH) and weights it against each environment's compliance policy to determine urgency and routing. Triage results are delivered to the appropriate team inbox within the customer org based on configured notification rules.

Available
Patch

Because no fix version has been published upstream as of this CVE's publication date, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be initiated without manual intervention once a fix version exists.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the application's password reset endpoint over the network to send a crafted request with a malicious Host header.

  • AuthenticationNot required

    No account or credentials are needed; the attacker only requires knowledge of a target user's email address.

  • Victim interactionRequired

    The victim must click the attacker-crafted password reset link delivered to their email inbox for the reset token to be exfiltrated.

  • Attack complexityDetail

    The exploit is reliable and condition-free once a target email is known; no race conditions or special environmental factors are required.

Blast Radius

  • Attacker receives the victim's valid password reset token, granting the ability to set a new password and take over the account entirely.
  • Attacker gains full read and write access to all content and data the compromised account can reach within the CMS.
  • If the compromised account holds editor or admin privileges, the attacker can modify, publish, or delete site content and alter CMS configuration.

How HarborGuard Handles This

Available on HarborGuard: this CVE is monitored continuously against all customer images containing apostrophe <= 4.29.0 with no manual setup required. Because no upstream fix exists at this time, HarborGuard re-evaluates the advisory on every ingest cycle. As soon as a patched version is published, a rebuilt image becomes available and, for customers who have opted into auto-remediation, HarborGuard will initiate a rebuild, run regression tests, and open a PR against affected workloads automatically. In the interim, compensating controls worth considering include isolating the affected service behind a network policy that restricts inbound Host header values at the load balancer or reverse proxy level (for example, by enforcing an explicit allowed-hosts list), and explicitly setting apos.baseUrl in the ApostropheCMS configuration to prevent the application from trusting the attacker-supplied Host header. Where compliance policy permits, HarborGuard can flag any image that omits the apos.baseUrl configuration as a policy violation to accelerate remediation prioritization.

See how HarborGuard automates this
Affected packages
  • apostrophecms / apostrophe
    <= 4.29.0
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
References