CVE-2024-55076

HighPublic PoC

Published: 06 January 2025

Published

06 January 2025

Modified

05 September 2025

KEV Added

—

Patch

—

CVSS Score 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0009 25.9th percentile

Risk Priority 16 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2024-55076 is a high-severity CSRF (CWE-352) vulnerability in Grocy Project Grocy. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Account Manipulation (T1098); ranked at the 25.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SC-23 (Session Authenticity) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Account Manipulation (T1098) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SC-23 Session Authenticity good match

prevent

SC-23 requires mechanisms to protect session authenticity, directly mitigating CSRF by preventing forged requests from impersonating authenticated user sessions.

SI-10 Information Input Validation good match

prevent

SI-10 mandates validation of information inputs, enabling verification of CSRF tokens on state-changing endpoints like administrator password changes.

IA-11 Re-authentication partial match

prevent

IA-11 requires re-authentication for privileged operations, such as password changes, blocking CSRF attacks that lack the user's credentials.

MITRE ATT&CK Enterprise TechniquesAI

T1098 Account Manipulation Persistence

Adversaries may manipulate accounts to maintain and/or elevate access to victim systems.

attack.mitre.org →

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

CSRF directly enables forged account modifications (password change leading to takeover) and exploitation of the self-hosted web app over the network.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v18.1

NVD Description

Grocy through 4.3.0 has no CSRF protection, as demonstrated by changing the Administrator's password.

Deeper analysisAI

CVE-2024-55076 is a Cross-Site Request Forgery (CSRF) vulnerability, mapped to CWE-352, affecting Grocy through version 4.3.0. This open-source self-hosted grocery and household management application lacks CSRF protection entirely, enabling unauthorized actions on behalf of authenticated users. The issue is demonstrated by an attacker's ability to change the administrator's password via a forged request.

The vulnerability carries a CVSS v3.1 base score of 8.1 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating exploitation by unauthenticated attackers over the network, though it requires high attack complexity. Attackers can trick logged-in users into submitting malicious requests—such as via a crafted webpage or link—forcing actions like password changes without the user's knowledge or consent. This leads to high impacts on confidentiality, integrity, and availability, potentially allowing full administrative account takeover and subsequent control over the Grocy instance.

Advisories detail the vulnerability in the context of multiple issues in Grocy, including stored XSS and broken access control, as documented at https://m10x.de/posts/2024/11/all-your-recipe-are-belong-to-us-part-1/3-stored-xss-csrf-and-broken-access-control-vulnerabilities-in-grocy/. Security practitioners should consult this reference for exploitation proofs and recommended mitigations, such as upgrading to a patched version beyond 4.3.0 if available.