Runtipi homeserver orchestrator: Unauthenticated password reset

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

7.7

Runtipi homeserver orchestrator: Unauthenticated password reset

CVE-2026-31881

Summary

Runtipi versions before 4.8.0 allow anyone to reset the admin password, giving them control of the system. This means an attacker can gain full access to the homeserver without needing a password. Update to 4.8.0 or later to fix this issue.

Original title

Original description

Runtipi is a personal homeserver orchestrator. Prior to 4.8.0, an unauthenticated attacker can reset the operator (admin) password when a password-reset request is active, resulting in full account takeover. The endpoint POST /api/auth/reset-password is exposed without authentication/authorization checks. During the 15-minute reset window, any remote user can set a new operator password and log in as admin. This vulnerability is fixed in 4.8.0.

nvd CVSS3.1 7.7

Vulnerability type

CWE-306 Missing Authentication for Critical Function

https://github.com/runtipi/runtipi/security/advisories/GHSA-96fm-whrc-cwg3

Published: 11 Mar 2026 · Updated: 13 Mar 2026 · First seen: 11 Mar 2026