Cyber Resilience

CVE-2026-34072

HighUpdated

Published: 01 April 2026

Published
01 April 2026
Modified
02 June 2026
KEV Added
Patch
CVSS Score v3.1 8.3 CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
EPSS Score 0.0044 35.2th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-34072 is a high-severity Improper Authentication (CWE-287) vulnerability in Fccview Cronmaster. Its CVSS base score is 8.3 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 35.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and IA-2 (Identification and Authentication (Organizational Users)).

Deeper analysis

CVE-2026-34072 is an authentication bypass vulnerability in CronMaster (cronmaster), an open-source Cronjob management UI that provides human-readable syntax, live logging, and log history for cronjobs. In versions prior to 2.2.0, the middleware fails to properly validate sessions, treating unauthenticated requests with an invalid session cookie as authenticated when the session-validation fetch fails. This issue is associated with CWEs-287 (Improper Authentication), CWE-306 (Missing Authentication for Critical Function), and CWE-693 (Protection Mechanism Failure), and carries a CVSS v3.1 base score of 8.3 (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L).

Attackers with adjacent network access can exploit this vulnerability without privileges or user interaction by sending crafted requests containing an invalid session cookie. If the middleware's session-validation fetch fails, the requests bypass authentication, enabling unauthorized access to protected pages and execution of privileged Next.js Server Actions. This results in high confidentiality and integrity impacts, with limited availability disruption.

The vulnerability has been addressed in CronMaster version 2.2.0. Security advisories recommend upgrading to this patched version. Additional details are available in the GitHub security advisory (GHSA-9whh-mffv-xvh6) and release notes for v2.2.0.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Cr*nMaster (cronmaster) is a Cronjob management UI with human readable syntax, live logging and log history for cronjobs. Prior to version 2.2.0, an authentication bypass in middleware allows unauthenticated requests with an invalid session cookie to be treated as authenticated…

more

when the middleware’s session-validation fetch fails. This can result in unauthorized access to protected pages and unauthorized execution of privileged Next.js Server Actions. This issue has been patched in version 2.2.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The authentication bypass in the web-based CronMaster UI directly enables initial access by allowing crafted requests to exploit the vulnerable middleware and access protected functionality without credentials, mapping to T1190 Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-4959Shared CWE-287, CWE-306
CVE-2026-7723Shared CWE-287, CWE-306
CVE-2026-3192Shared CWE-287, CWE-306
CVE-2025-11529Shared CWE-287, CWE-306
CVE-2025-11942Shared CWE-287, CWE-306
CVE-2026-3053Shared CWE-287, CWE-306
CVE-2026-4562Shared CWE-287, CWE-306
CVE-2026-40344Shared CWE-287, CWE-306
CVE-2026-6582Shared CWE-287, CWE-306
CVE-2026-5676Shared CWE-287, CWE-306

Affected Assets

fccview
cronmaster
≤ 2.2.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires unique identification and authentication of organizational users, directly preventing authentication bypass via invalid session cookies when validation fails.

prevent

Enforces approved authorizations for access to protected resources in middleware, blocking unauthenticated requests treated as valid due to session fetch failures.

prevent

Mandates identification, reporting, and patching of flaws like the middleware authentication bypass, enabling upgrade to the fixed version 2.2.0.

References