CVE-2026-31881
Published: 11 March 2026
Summary
CVE-2026-31881 is a high-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Runtipi Runtipi. Its CVSS base score is 7.7 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 30.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-14 (Permitted Actions Without Identification or Authentication) and AC-3 (Access Enforcement).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
AC-14 identifies and prohibits critical actions like unauthenticated password resets, directly preventing exploitation of the exposed endpoint.
AC-3 enforces access control policies to block unauthorized requests to the password reset endpoint.
IA-5 requires secure management of authenticators, including protections for password reset processes against unauthorized changes.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Unauthenticated remote exploitation of a public-facing web API endpoint (POST /api/auth/reset-password) enables admin account takeover, directly mapping to T1190: Exploit Public-Facing Application.
NVD Description
Runtipi is a personal homeserver orchestrator. Prior to 4.8.0, an unauthenticated attacker can reset the operator (admin) password when a password-reset request is active, resulting in full account takeover. The endpoint POST /api/auth/reset-password is exposed without authentication/authorization checks. During the…
more
15-minute reset window, any remote user can set a new operator password and log in as admin. This vulnerability is fixed in 4.8.0.
Deeper analysisAI
CVE-2026-31881 is a vulnerability in Runtipi, a personal homeserver orchestrator, affecting versions prior to 4.8.0. It stems from the POST /api/auth/reset-password endpoint being exposed without authentication or authorization checks, allowing an unauthenticated attacker to reset the operator (admin) password when a password-reset request is active. This flaw, classified under CWE-306 (Missing Authentication for Critical Function), enables full account takeover and carries a CVSS v3.1 score of 7.7 (AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L).
The attack requires a password-reset request to be active, creating a 15-minute window during which any remote, unauthenticated user can exploit the endpoint. By sending a POST request, the attacker can set a new operator password and subsequently log in as admin, achieving complete control over the homeserver orchestrator.
The issue is addressed in Runtipi version 4.8.0. Additional details on the vulnerability and mitigation are available in the GitHub security advisory at https://github.com/runtipi/runtipi/security/advisories/GHSA-96fm-whrc-cwg3.
Details
- CWE(s)