CVE Catalog

CVE-2026-50635

HighCVSS 8.8
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.07%

22th percentile - higher than 22% of all known CVEs

Summary

LimeSurvey constructs password-reset links based on the client-supplied HTTP Host header without validating it. The default configuration does not define an allowed hosts allowlist, allowing an attacker to take over an account by sending a spoofed password reset request.

Risk Assessment

An attacker can take over a user's account by gaining access to a valid password reset token, leading to unauthorized access to user data.

Recommendation

It is recommended to configure the allowed hosts list in LimeSurvey and implement validation of the HTTP Host header to prevent such attacks.

Original NVD description (English source)

LimeSurvey constructs account password-reset links from the client-supplied HTTP Host header without validating it. The optional allowedHosts allowlist that would constrain this is undefined in the default (and documented) configuration, so LSHttpRequest::checkIsAllowedHost() results in no operation. A remote, unauthenticated attacker who submits a forgotten-password request for a known account (requiring only the target's username and email) with a spoofed Host header causes LimeSurvey to email that account a reset link whose hostname is attacker-controlled while embedding the genuine validation_key. When the recipient or an automated inbound mail-security link scanner dereferences the link, the valid reset token is disclosed to the attacker, who replays it against the legitimate host's newPassword endpoint to set a new password and take over the account.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS