HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-47181Published Modified CNA GitHub_M

CVE-2026-47181: PenguinMod-BackendApi: NoSQL Injection in Password Reset Endpoint Allows Account Takeover

PenguinMod-BackendApi is the backend api for penguinmod. Prior to version 1.0.0, a NoSQL injection vulnerability in the password reset endpoint allows any authenticated user to change the password of an account, leading to full account takeover. An attacker only needs a registered account and a valid password reset token for their own account. This issue has been patched in version 1.0.0.

Metrics

CVSS v4.0
8.7
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A NoSQL injection vulnerability in the password reset endpoint of PenguinMod-BackendApi allows any authenticated user to take over other accounts. The endpoint is reachable over the network, requires only a low-privilege account plus a valid password reset token for that same account, and no victim interaction is needed. Successful exploitation lets an attacker reset and control any account on the platform. No fix version has been published yet; HarborGuard tracks the advisory and will make a patched-image rebuild available as soon as an upstream fix is released.

HarborGuard Coverage

Detection

Detection for CVE-2026-47181 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images derived from PenguinMod-BackendApi. Any image running a version below 1.0.0 is flagged automatically.

Available
Triage

HarborGuard is capable of scoring this CVE at CVSS v4.0 8.7 (HIGH) and weighting that score against each customer environment's compliance policy to determine urgency. Triage findings are routable to the appropriate team inbox within each customer organization based on configured ownership rules.

Available
Patch

Because no upstream fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix is released upstream. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will trigger without manual intervention once a fix version becomes available.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable password reset endpoint is exposed over the network, so an attacker must be able to reach the service via standard HTTP/S to deliver the injection payload.

  • AuthenticationRequired

    The attacker must hold a valid low-privilege registered account and a legitimate password reset token for that account; no anonymous or unauthenticated access path exists.

  • Victim interactionNot required

    No action from the targeted account holder is needed; the attacker operates entirely through their own session against the endpoint.

  • Attack complexityDetail

    Attack complexity is low, meaning the injection is reliable and requires no special environmental conditions, race windows, or memory layout knowledge to execute.

Blast Radius

  • Attacker resets the password of any targeted account, locking the legitimate user out and gaining full session control.
  • Attacker reads private account data, stored project files, and any personal information associated with the hijacked account.
  • Attacker modifies or deletes content owned by the compromised account, including published projects and profile settings.
  • Service availability is marginally degraded (low impact on VA) but the primary harm is full confidentiality and integrity loss on the affected account.

How HarborGuard Handles This

Available on HarborGuard: because no upstream fix exists for CVE-2026-47181 at this time, the platform monitors the advisory on every ingest cycle and will automatically initiate a patched-image rebuild the moment version 1.0.0 or a later fix is published upstream. In the interim, customers running affected PenguinMod-BackendApi images are advised to apply network-policy controls that restrict access to the password reset endpoint to trusted sources, consider feature-flag gating or temporary disabling of the reset endpoint if the application supports it, and enforce egress filtering to limit lateral movement in the event of a compromise. For customers with auto-remediation enabled, the full rebuild, regression test, and PR flow will trigger automatically once upstream ships, with no manual intervention required. Customers without auto-remediation will receive a detection alert and can initiate the rebuild manually from the HarborGuard dashboard.

See how HarborGuard automates this
Affected packages
  • PenguinMod / PenguinMod-BackendApi
    < 1.0.0
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:L/SC:N/SI:N/SA:N
References