CVE-2026-34072 - Vulnerability Details

- cronmaster: Middleware authentication bypass enabling unauthorized page access and server-action execution

Description

Cr*nMaster (cronmaster) is a Cronjob management UI with human readable syntax, live logging and log history for cronjobs. Prior to version 2.2.0, an authentication bypass in middleware allows unauthenticated requests with an invalid session cookie to be treated as authenticated when the middleware’s session-validation fetch fails. This can result in unauthorized access to protected pages and unauthorized execution of privileged Next.js Server Actions. This issue has been patched in version 2.2.0.

Published: 2026-04-01

Score: 8.3 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

A flaw in the middleware authentication checks of Cronmaster allows unauthenticated users to be treated as authenticated when an invalid session cookie results in a failed session‑validation fetch. As a consequence, attackers can view protected pages and trigger privileged Next.js Server Actions without proper credentials. The vulnerability stems from improper session handling (CWE‑287, CWE‑306, CWE‑693).

Affected Systems

The issue affects the fccview Cronmaster application, specifically all releases before version 2.2.0. Any deployment using these older versions is susceptible until patched.

Risk and Exploitability

The CVSS v3 score of 8.3 indicates high severity, while no EPSS data is available and it is not listed in KEV. The likely attack vector is an unauthenticated HTTP request sent to any protected endpoint. If exploited, an attacker could obtain privileged access that may lead to further compromise. Given the lack of a hard‑coded exploitation method in the description, de‑risking requires patching the middleware rather than solely relying on defensive controls.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

fccview

cronmaster

affected

Version	Status	Constraints
`< 2.2.0`	affected	—

No data.

Vendor Product Confidence Versions

Fccview

Cronmaster

100%

Version	Status	Scheme	Platform
`[0,2.2.0)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the latest cronmaster release (v2.2.0) or newer to eliminate the middleware flaw.
Verify that no legacy Cronmaster versions remain in production and that the upgraded code is successfully deployed.
If an upgrade cannot be performed immediately, enhance network or application‑level access controls to restrict unauthenticated traffic to protected pages.
Enable comprehensive logging and actively monitor for anomalous authentication attempts or unauthorized server‑action invocations.

Generated by OpenCVE AI on April 2, 2026 at 03:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact Low

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00057.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://github.com/fccview/cronmaster/releases/tag/2.2.0
https://github.com/fccview/cronmaster/security/advisories/GHSA-9whh-mffv-xvh6

History

Thu, 02 Apr 2026 20:30:00 +0000

Type	Values Removed	Values Added
First Time appeared		Fccview Fccview cronmaster
Vendors & Products		Fccview Fccview cronmaster

Wed, 01 Apr 2026 23:45:00 +0000

Type	Values Removed	Values Added
Description		Cr*nMaster (cronmaster) is a Cronjob management UI with human readable syntax, live logging and log history for cronjobs. Prior to version 2.2.0, an authentication bypass in middleware allows unauthenticated requests with an invalid session cookie to be treated as authenticated when the middleware’s session-validation fetch fails. This can result in unauthorized access to protected pages and unauthorized execution of privileged Next.js Server Actions. This issue has been patched in version 2.2.0.
Title		cronmaster: Middleware authentication bypass enabling unauthorized page access and server-action execution
Weaknesses		CWE-287 CWE-306 CWE-693
References		https://github.com/fccview/cronmaster/releases/tag/2.2.0 https://github.com/fccview/cronmaster/security/advisories/GHSA-9whh-mffv-xvh6
Metrics		cvssV3_1 `{'score': 8.3, 'vector': 'CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Subscriptions

Fccview Cronmaster

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-04-01T16:51:33.306Z

Updated: 2026-04-01T17:45:11.248Z

Reserved: 2026-03-25T16:21:40.867Z

Link: CVE-2026-34072

Vulnrichment

Updated: 2026-04-01T17:45:06.888Z

NVD

Status : Awaiting Analysis

Published: 2026-04-01T18:16:29.340

Modified: 2026-04-03T16:10:52.680

Link: CVE-2026-34072

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-02T20:17:12Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact Low

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object