Description
Runtipi is a personal homeserver orchestrator. Prior to 4.8.0, an unauthenticated attacker can reset the operator (admin) password when a password-reset request is active, resulting in full account takeover. The endpoint POST /api/auth/reset-password is exposed without authentication/authorization checks. During the 15-minute reset window, any remote user can set a new operator password and log in as admin. This vulnerability is fixed in 4.8.0.
Published: 2026-03-11
Score: 7.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Account Takeover
Action: Patch
AI Analysis

Impact

The vulnerability in Runtipi allows an unauthenticated attacker to reset the operator (admin) password during an active password‑reset window. The POST /api/auth/reset-password endpoint lacks authentication or authorization checks, enabling any remote user to set a new operator password within a 15‑minute window. This results in full operator account takeover, granting the attacker full control and the ability to compromise all hosted services and data. The flaw is a CWE-306 style authentication bypass.

Affected Systems

The flaw affects all Runtipi installations running versions earlier than 4.8.0. The issue is fixed in Runtipi 4.8.0 and later. The affected product is the Runtipi personal homeserver orchestrator, as identified by the cpe:2.3:a:runtipi:runtipi:*:*:*:*:*:*:*:*.

Risk and Exploitability

The CVSS score of 7.7 indicates high severity, while the EPSS score of under 1% suggests that exploitation may be unlikely at present. Since the vulnerability is not listed in CISA’s KEV table, it is not known to be widely exploited. Attackers would need only to trigger the password‑reset process and wait for the 15‑minute window; no special access is required, making the attack straightforward for an unauthenticated remote user.

Generated by OpenCVE AI on March 16, 2026 at 23:12 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Runtipi to version 4.8.0 or later.

Generated by OpenCVE AI on March 16, 2026 at 23:12 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 16 Mar 2026 21:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:runtipi:runtipi:*:*:*:*:*:*:*:*

Thu, 12 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 12 Mar 2026 10:15:00 +0000

Type Values Removed Values Added
First Time appeared Runtipi
Runtipi runtipi
Vendors & Products Runtipi
Runtipi runtipi

Wed, 11 Mar 2026 19:00:00 +0000

Type Values Removed Values Added
Description Runtipi is a personal homeserver orchestrator. Prior to 4.8.0, an unauthenticated attacker can reset the operator (admin) password when a password-reset request is active, resulting in full account takeover. The endpoint POST /api/auth/reset-password is exposed without authentication/authorization checks. During the 15-minute reset window, any remote user can set a new operator password and log in as admin. This vulnerability is fixed in 4.8.0.
Title Runtipi unauthenticated /api/auth/reset-password allows operator account takeover during active reset window
Weaknesses CWE-306
References
Metrics cvssV3_1

{'score': 7.7, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L'}

Subscriptions

Runtipi Runtipi
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-12T20:06:56.196Z

Reserved: 2026-03-09T21:59:02.686Z

Link: CVE-2026-31881

cve-icon Vulnrichment

Updated: 2026-03-12T20:06:53.513Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-11T19:16:04.787

Modified: 2026-03-16T20:53:43.683

Link: CVE-2026-31881

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-20T15:29:32Z

Weaknesses