Skip to the content.

CVE-2026-22093

Improper access control in Hashtopolis server chunk activity component

CVE CVE-2026-22093
Title Improper access control in Hashtopolis server chunk activity component
Credits
  • Mateo Hahn, Bureau Veritas Cybersecurity (finder)
  • Wessel Baltus (analyst)
  • Max van der Horst (analyst)
Affected products
Product Affected Unaffected Unknown
Hashtopolis >= 0 to < 0.14.8 (git)
everything else
CVSS
Base score 7.1 - HIGH
Attack Vector NETWORK
Attack Complexity> LOW
Attack Requirements NONE
Privileges Required LOW
Confidentiality Impact
Vulnerable system HIGH Subsequent systems NONE
Integrity Impact
Vulnerable system NONE Subsequent systems NONE
Availability Impact
Vulnerable system NONE Subsequent systems NONE
Safety impact NOT_DEFINED
Automatable NOT_DEFINED
Recovery IRRECOVERABLE
Value Density NOT_DEFINED
Vulnerability Response effort NOT_DEFINED
Provider Urgency NOT_DEFINED
References
Problem type(s) CWE-639 Authorization bypass through User-Controlled key
Impact(s) Any authenticated account on an affected Hashtopolis instance can read all cracked hashes stored on the server, regardless of assigned role or privilege level.
Date published
Last modified

Description

Improper access control in Hashtopolis server web-interface chunk activity component for versions prior to 0.14.8 allows any created account to read all cracked hashes of a Hashtopolis server instance.


JSON version.