HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-50635Published Modified CNA VulnCheck

CVE-2026-50635: LimeSurvey Password Reset Host Header Injection Discloses Reset Token

LimeSurvey constructs account password-reset links from the client-supplied HTTP Host header without validating it. The optional allowedHosts allowlist that would constrain this is undefined in the default (and documented) configuration, so LSHttpRequest::checkIsAllowedHost() results in no operation. A remote, unauthenticated attacker who submits a forgotten-password request for a known account (requiring only the target's username and email) with a spoofed Host header causes LimeSurvey to email that account a reset link whose hostname is attacker-controlled while embedding the genuine validation_key. When the recipient or an automated inbound mail-security link scanner dereferences the link, the valid reset token is disclosed to the attacker, who replays it against the legitimate host's newPassword endpoint to set a new password and take over the account.

Metrics

CVSS v4.0
8.7
Severity
HIGH
Fixed in
7.0.1
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Host header injection in LimeSurvey's password-reset flow allows a remote, unauthenticated attacker to embed a genuine password-reset token inside a link pointing to an attacker-controlled hostname. The vulnerability is reachable over the network with no credentials required, but the attacker must induce the target user (or an automated mail-security scanner) to follow the crafted link. Successful exploitation gives the attacker the valid reset token, which can be replayed to set a new password and fully take over the targeted account. A patched-image rebuild at version 7.0.1 is available on HarborGuard for environments running an affected version.

HarborGuard Coverage

Detection

Detection of CVE-2026-50635 is available across every HarborGuard environment; the CVE is ingested from upstream advisory feeds within minutes of publication and matched against customer images in registries and CI/CD pipelines, including custom-built images that bundle LimeSurvey at an affected version.

Available
Triage

HarborGuard scores this finding at CVSS v4.0 8.7 (HIGH) and weights it against each environment's compliance policy to determine urgency; findings are routed automatically to the appropriate team inbox within the customer organization based on configured policy rules.

Available
Patch

A patched-image rebuild at LimeSurvey 7.0.1 becomes available on HarborGuard as soon as the fix version is resolvable from the upstream package feed. For customers who opt into auto-remediation, HarborGuard triggers a rebuild, runs a regression test suite against the new image, and opens a pull request against affected workloads without manual intervention.

Available

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the LimeSurvey password-reset endpoint over the network; the service must be exposed to the internet or a network the attacker can access.

  • AuthenticationNot required

    No account or session is needed; the forgotten-password endpoint is publicly accessible and accepts unauthenticated requests.

  • Victim interactionRequired

    The target user (or an automated inbound mail-security link scanner acting on behalf of the user) must dereference the crafted reset link for the token to be disclosed to the attacker.

  • Attack complexityDetail

    Exploitation is reliable and condition-free once the target's username and email are known; no race conditions or special memory layout are required.

Blast Radius

  • The attacker obtains the genuine password-reset token for the targeted account and replays it to set a new password, locking out the legitimate owner.
  • Full confidentiality of the compromised account is lost; the attacker can read all surveys, responses, and participant data accessible to that account.
  • The attacker can modify or delete surveys, responses, and account settings, corrupting or destroying collected research data.
  • If the compromised account holds admin privileges, the attacker gains administrative control over the entire LimeSurvey instance, affecting all surveys and user data hosted there.

How HarborGuard Handles This

Available on HarborGuard: images running LimeSurvey at or below version 7.0 are flagged against this CVE within minutes of the advisory being ingested. For customers who opt into auto-remediation, HarborGuard rebuilds the image at version 7.0.1, runs regression tests, and opens a pull request against affected workloads; for high-severity findings, the median time from CVE publication to merged patch PR is around 90 minutes in environments with auto-remediation enabled. Where compliance policy requires manual approval, the finding is surfaced in the customer dashboard with the CVSS 8.7 HIGH score and a direct link to the upstream fix. As a compensating control until the patch is applied, restricting inbound access to the password-reset endpoint by network policy and configuring a validated allowedHosts allowlist in LimeSurvey's configuration will prevent the Host header from being spoofed in reset emails.

See how HarborGuard automates this

Fix available

7.0.1
Patch commits
Affected packages
  • LimeSurvey / LimeSurvey
    ≤ 7.0
    Fixed in 7.0.1
CVSS Vector
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
References