Exposed API Endpoint Allows Unauthenticated Password Reset

Monitor vulnerabilities like this one. Sign up free to get alerted when software you use is affected.

9.3

Exposed API Endpoint Allows Unauthenticated Password Reset

CVE-2026-1670

Summary

Certain versions of [Software Name] have an exposed API endpoint that could let hackers change a user's password reset email address without needing a password or login credentials. This could allow attackers to intercept or redirect password reset emails, potentially leading to unauthorized access to user accounts. To protect your users, update to the latest version of [Software Name] to fix this vulnerability.

Original title

The affected products are vulnerable to an unauthenticated API endpoint exposure, which may allow an attacker to remotely change the "forgot password" recovery email address.

Original description

The affected products are vulnerable to an unauthenticated API endpoint exposure, which may allow an attacker to remotely change the "forgot password" recovery email address.

nvd CVSS3.1 9.8

nvd CVSS4.0 9.3

Vulnerability type

CWE-306 Missing Authentication for Critical Function

Published: 17 Feb 2026 · Updated: 11 Mar 2026 · First seen: 6 Mar 2026