CVE-2026-32602 - Vulnerability Details

- Homarr has a Race Condition in Invite Token Registration (TOCTOU)

Description

Homarr is an open-source dashboard. Prior to 1.57.0, the user registration endpoint (/api/trpc/user.register) is vulnerable to a race condition that allows an attacker to create multiple user accounts from a single-use invite token. The registration flow performs three sequential database operations without a transaction: CHECK, CREATE, and DELETE. Because these operations are not atomic, concurrent requests can all pass the validation step (1) before any of them reaches the deletion step (3). This allows multiple accounts to be registered using a single invite token that was intended to be single-use. This vulnerability is fixed in 1.57.0.

Published: 2026-04-06

Score: 4.2 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The race condition allows an attacker to create multiple user accounts using a single-use invite token by exploiting the lack of atomicity between the check, create, and delete database operations. This flaw can lead to an inflated user base, potential misuse of privileges associated with the token, and an elevated risk of unauthorized access or denial of service from an increased number of accounts.

Affected Systems

The vulnerability affects the Homarr dashboard from homarr-labs. Any deployment running a version earlier than 1.57.0 is susceptible. Homarr is an open-source web‑based interface for managing services; the registration endpoint in those affected versions can be abused through the race condition.

Risk and Exploitability

The CVSS score of 4.2 indicates moderate severity, and the EPSS score of less than 1% suggests low likelihood of widespread exploitation. This issue is not listed in the CISA Known Exploited Vulnerabilities catalog. Exploitation would require an attacker to obtain a valid invite token and submit multiple registration requests simultaneously or in rapid succession to bypass the single‑use check.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

homarr-labs

homarr

affected

Version	Status	Constraints
`< 1.57.0`	affected	—

Configuration 1 [-]

cpe:2.3:a:homarr:homarr:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Homarr-labs

Homarr

100%

Version	Status	Scheme	Platform
`[0,1.57.0)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Homarr to version 1.57.0 or newer.
If an upgrade is not immediately possible, disable or restrict the registration endpoint until a fix is applied.
Audit and monitor account creation logs for anomalous or rapid signup activity.
Remove any public distribution of invite tokens and enforce stricter token management policies.

Generated by OpenCVE AI on April 10, 2026 at 19:42 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00029.

Exploitation poc

Automatable no

Technical Impact partial

References

Link	Providers
https://github.com/homarr-labs/homarr/security/advisories/GHSA-vfw3-53q9-2hp8

History

Fri, 10 Apr 2026 18:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Homarr Homarr homarr
CPEs		cpe:2.3:a:homarr:homarr::::::::
Vendors & Products		Homarr Homarr homarr

Tue, 07 Apr 2026 00:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Homarr-labs Homarr-labs homarr
Vendors & Products		Homarr-labs Homarr-labs homarr

Mon, 06 Apr 2026 16:45:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 06 Apr 2026 15:30:00 +0000

Type	Values Removed	Values Added
Description		Homarr is an open-source dashboard. Prior to 1.57.0, the user registration endpoint (/api/trpc/user.register) is vulnerable to a race condition that allows an attacker to create multiple user accounts from a single-use invite token. The registration flow performs three sequential database operations without a transaction: CHECK, CREATE, and DELETE. Because these operations are not atomic, concurrent requests can all pass the validation step (1) before any of them reaches the deletion step (3). This allows multiple accounts to be registered using a single invite token that was intended to be single-use. This vulnerability is fixed in 1.57.0.
Title		Homarr has a Race Condition in Invite Token Registration (TOCTOU)
Weaknesses		CWE-367
References		https://github.com/homarr-labs/homarr/security/advisories/GHSA-vfw3-53q9-2hp8
Metrics		cvssV3_1 `{'score': 4.2, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N'}`

Subscriptions

Homarr Homarr

Homarr-labs Homarr

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-04-06T14:42:37.488Z

Updated: 2026-04-06T15:41:09.966Z

Reserved: 2026-03-12T14:54:24.269Z

Link: CVE-2026-32602

Vulnrichment

Updated: 2026-04-06T15:32:05.947Z

NVD

Status : Analyzed

Published: 2026-04-06T15:17:10.000

Modified: 2026-04-10T18:00:42.037

Link: CVE-2026-32602

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-13T14:27:47Z

Weaknesses

CWE-367

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation poc

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object