Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.8
Known: Password Reset Token Leaked, Allowing Account Takeover
CVE-2026-26273
GHSA-78wq-6gcv-w28r
Summary
A security flaw in Known software version 1.6.2 allows anyone to steal a password reset token, giving them access to any account. This can happen if the email address of the account owner is known. To protect your account, ensure you're using a strong and unique password, and be cautious of any emails asking for password reset requests.
What to do
- Update idno known to version 1.6.3.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| idno | known | <= 1.6.2 | 1.6.3 |
| withknown | known | <= 1.6.3 | – |
Original title
Known affected by Account Takeover via Password Reset Token Leakage
Original description
### Summary
A Critical Broken Authentication vulnerability exists in Known 1.6.2. The application leaks the password reset token within a hidden HTML input field on the password reset page. This allows any unauthenticated attacker to retrieve the reset token for any user by simply querying the user's email, leading to full Account Takeover (ATO) without requiring access to the victim's email inbox.
### Details
The vulnerability occurs within the password reset flow. When a reset is requested, the application generates a verification code. However, the subsequent reset page (/account/password/reset/) incorrectly reflects this code back to the client in the HTML source code.
Specifically, the sensitive token is embedded in:
<input type="hidden" name="code" value="[SECRET_TOKEN]">
Because this page is accessible via a GET request using the victim's email as a parameter, an attacker can programmatically extract the token.
### PoC
1. The attacker asks for a password reset for the victim
<img width="1328" height="580" alt="image" src="https://github.com/user-attachments/assets/0197907e-f10b-4e6d-989e-f25c408862cd" />
<img width="1139" height="452" alt="image(1)" src="https://github.com/user-attachments/assets/9a317b27-b56a-4663-9965-d3e660713f4e" />
2. The attacker makes the following curl command on the terminal using the victim's email, and is able to get the code that was sent as an hidden field in the HTML.
<img width="917" height="220" alt="image(2)" src="https://github.com/user-attachments/assets/af89ba3b-de56-4437-84b3-c1feb56d2348" />
3. With this code, the attacker is able to use it in order to reset the victim password.
<img width="1335" height="711" alt="image(3)" src="https://github.com/user-attachments/assets/498b8a2e-9eb2-4b50-bc35-26b0f2764c8d" />
<img width="1258" height="524" alt="image(4)" src="https://github.com/user-attachments/assets/d1304dc3-bf56-4ec7-920c-ecce502db6b0" />
4. The attacker is able to login with the new password.
<img width="1514" height="631" alt="image(5)" src="https://github.com/user-attachments/assets/2533032e-6f0d-45c8-9fe1-881bfedebcc4" />
<img width="1528" height="647" alt="image(6)" src="https://github.com/user-attachments/assets/a6e9144c-cc96-493d-8780-9156c299a192" />
### Impact
- An attacker can compromise any account on the platform, including administrative accounts, resulting in total loss of Confidentiality, Integrity, and Availability.
A Critical Broken Authentication vulnerability exists in Known 1.6.2. The application leaks the password reset token within a hidden HTML input field on the password reset page. This allows any unauthenticated attacker to retrieve the reset token for any user by simply querying the user's email, leading to full Account Takeover (ATO) without requiring access to the victim's email inbox.
### Details
The vulnerability occurs within the password reset flow. When a reset is requested, the application generates a verification code. However, the subsequent reset page (/account/password/reset/) incorrectly reflects this code back to the client in the HTML source code.
Specifically, the sensitive token is embedded in:
<input type="hidden" name="code" value="[SECRET_TOKEN]">
Because this page is accessible via a GET request using the victim's email as a parameter, an attacker can programmatically extract the token.
### PoC
1. The attacker asks for a password reset for the victim
<img width="1328" height="580" alt="image" src="https://github.com/user-attachments/assets/0197907e-f10b-4e6d-989e-f25c408862cd" />
<img width="1139" height="452" alt="image(1)" src="https://github.com/user-attachments/assets/9a317b27-b56a-4663-9965-d3e660713f4e" />
2. The attacker makes the following curl command on the terminal using the victim's email, and is able to get the code that was sent as an hidden field in the HTML.
<img width="917" height="220" alt="image(2)" src="https://github.com/user-attachments/assets/af89ba3b-de56-4437-84b3-c1feb56d2348" />
3. With this code, the attacker is able to use it in order to reset the victim password.
<img width="1335" height="711" alt="image(3)" src="https://github.com/user-attachments/assets/498b8a2e-9eb2-4b50-bc35-26b0f2764c8d" />
<img width="1258" height="524" alt="image(4)" src="https://github.com/user-attachments/assets/d1304dc3-bf56-4ec7-920c-ecce502db6b0" />
4. The attacker is able to login with the new password.
<img width="1514" height="631" alt="image(5)" src="https://github.com/user-attachments/assets/2533032e-6f0d-45c8-9fe1-881bfedebcc4" />
<img width="1528" height="647" alt="image(6)" src="https://github.com/user-attachments/assets/a6e9144c-cc96-493d-8780-9156c299a192" />
### Impact
- An attacker can compromise any account on the platform, including administrative accounts, resulting in total loss of Confidentiality, Integrity, and Availability.
nvd CVSS3.0
9.8
Vulnerability type
CWE-200
Information Exposure
CWE-640
Published: 13 Feb 2026 · Updated: 10 Mar 2026 · First seen: 6 Mar 2026