DIVD-2026-00010 - Improper Access Control in Hashtopolis Server
| Our reference | DIVD-2026-00010 |
| Case lead | Max van der Horst |
| Author | DIVD CSIRT |
| Researcher(s) |
|
| CVE(s) | |
| Products |
|
| Versions |
|
| Recommendation | Update Hashtopolis to version 0.14.8 or later. |
| Patch status | Fully patched |
| Status | Open |
| Last modified | 16 Jul 2026 14:59 CEST |
Summary
Hashtopolis is an open-source, web-based distributed hash cracking management platform. It allows administrators to coordinate multiple agents in cracking password hashes and stores cracked results centrally on the server.
A vulnerability was discovered in the Hashtopolis server web interface’s chunk activity component. Due to missing access controls (CWE-639), any account created on a Hashtopolis instance — regardless of assigned role or privilege level — can read all cracked hashes stored on that instance. This means a low-privileged account can exfiltrate the complete results of all hash cracking jobs run on the server.
This vulnerability has a CVSS 4.0 base score of 7.1 (HIGH) (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/R:I).
What you can do
- Update. Upgrade your Hashtopolis server to version 0.14.8 or later, which contains a fix for this vulnerability.
- Audit account access. Review all accounts on your Hashtopolis instance and remove any accounts that should not have access, including those created solely for agent registration.
- Rotate sensitive data. If you cannot rule out unauthorized access, treat all cracked hashes stored on the instance as potentially compromised and rotate the corresponding credentials.
What we are doing
Mateo Hahn of Bureau Veritas has performed coordinated disclosure with the Hashtopolis maintainers. They have issued a patch.
Timeline
| Date | Description |
|---|---|
| 15 Apr 2026 | Vulnerability discovered by Mateo Hahn is fixed in v0.14.9 and patch is released. |
| 16 Jul 2026 | CVE-2026-22093 published. DIVD publishes casefile. |