Cyber Resilience

CVE-2026-31881

HighPublic PoC

Published: 11 March 2026

Published
11 March 2026
Modified
16 March 2026
KEV Added
Patch
CVSS Score v3.1 7.7 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L
EPSS Score 0.0043 34.3th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-31881 is a high-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Runtipi Runtipi. Its CVSS base score is 7.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 34.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).

Deeper analysis

CVE-2026-31881 is a vulnerability in Runtipi, a personal homeserver orchestrator, affecting versions prior to 4.8.0. It stems from the POST /api/auth/reset-password endpoint being exposed without authentication or authorization checks, allowing an unauthenticated attacker to reset the operator (admin) password when a password-reset request is active. This flaw, classified under CWE-306 (Missing Authentication for Critical Function), enables full account takeover and carries a CVSS v3.1 score of 7.7 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L).

The attack requires a password-reset request to be active, creating a 15-minute window during which any remote, unauthenticated user can exploit the endpoint. By sending a POST request, the attacker can set a new operator password and subsequently log in as admin, achieving complete control over the homeserver orchestrator.

The issue is addressed in Runtipi version 4.8.0. Additional details on the vulnerability and mitigation are available in the GitHub security advisory at https://github.com/runtipi/runtipi/security/advisories/GHSA-96fm-whrc-cwg3.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Runtipi is a personal homeserver orchestrator. Prior to 4.8.0, an unauthenticated attacker can reset the operator (admin) password when a password-reset request is active, resulting in full account takeover. The endpoint POST /api/auth/reset-password is exposed without authentication/authorization checks. During the…

more

15-minute reset window, any remote user can set a new operator password and log in as admin. This vulnerability is fixed in 4.8.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Unauthenticated remote exploitation of a public-facing web API endpoint (POST /api/auth/reset-password) enables admin account takeover, directly mapping to T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-25116Same product: Runtipi Runtipi
CVE-2026-32729Same product: Runtipi Runtipi
CVE-2026-24129Same product: Runtipi Runtipi
CVE-2026-4810Shared CWE-306
CVE-2025-53847Shared CWE-306
CVE-2025-61757Shared CWE-306
CVE-2025-68715Shared CWE-306
CVE-2026-21992Shared CWE-306
CVE-2025-26362Shared CWE-306
CVE-2026-48692Shared CWE-306

Affected Assets

runtipi
runtipi
≤ 4.8.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-14 identifies and prohibits critical actions like unauthenticated password resets, directly preventing exploitation of the exposed endpoint.

prevent

AC-3 enforces access control policies to block unauthorized requests to the password reset endpoint.

prevent

IA-5 requires secure management of authenticators, including protections for password reset processes against unauthorized changes.

References