Skip to the content.

DIVD-2026-00010 - Improper Access Control in Hashtopolis Server

Our reference DIVD-2026-00010
Case lead Max van der Horst
Author DIVD CSIRT
Researcher(s)
CVE(s)
Products
  • Hashtopolis
Versions
  • All versions prior to 0.14.8
Recommendation Update Hashtopolis to version 0.14.8 or later.
Patch status Fully patched
Status Open
Last modified 16 Jul 2026 14:59 CEST

Summary

Hashtopolis is an open-source, web-based distributed hash cracking management platform. It allows administrators to coordinate multiple agents in cracking password hashes and stores cracked results centrally on the server.

A vulnerability was discovered in the Hashtopolis server web interface’s chunk activity component. Due to missing access controls (CWE-639), any account created on a Hashtopolis instance — regardless of assigned role or privilege level — can read all cracked hashes stored on that instance. This means a low-privileged account can exfiltrate the complete results of all hash cracking jobs run on the server.

This vulnerability has a CVSS 4.0 base score of 7.1 (HIGH) (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/R:I).

What you can do

What we are doing

Mateo Hahn of Bureau Veritas has performed coordinated disclosure with the Hashtopolis maintainers. They have issued a patch.

Timeline

Date Description
15 Apr 2026 Vulnerability discovered by Mateo Hahn is fixed in v0.14.9 and patch is released.
16 Jul 2026 CVE-2026-22093 published. DIVD publishes casefile.
gantt title DIVD-2026-00010 - Improper Access Control in Hashtopolis Server dateFormat YYYY-MM-DD axisFormat %e %b %Y section Case DIVD-2026-00010 - Improper Access Control in Hashtopolis Server (still open) :2026-04-15, 2026-07-24 section Events Vulnerability discovered by Mateo Hahn is fixed in v0.14.9 and patch is released. : milestone, 2026-04-15, 0d CVE-2026-22093 published. DIVD publishes casefile. : milestone, 2026-07-16, 0d

More information