Description
An issue was discovered in Gambio 4.9.2.0 (patched in 2024-02 v1.0.0 for GX4 v4.0.0.0 to v4.9.2.0). The password reset function can be bypassed to set arbitrary passwords for arbitrary accounts if the ID is known.
Published: 2026-05-05
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An attacker who knows a user's account identifier can exploit a flaw in Gambio 4.9.2.0’s password reset feature to set an arbitrary password for that account. The vulnerability allows a direct bypass of the reset mechanism, effectively granting the attacker full control over the targeted account. This can lead to unauthorized access to sensitive data and potential escalation to other parts of the system if the account has elevated privileges.

Affected Systems

The security issue affects Gambio 4.9.2.0, which was patched in the 2024‑02 v1.0.0 release for GX4 versions ranging from v4.0.0.0 to v4.9.2.0. System administrators should verify whether their installations run any of these affected versions and plan to migrate to the patched release.

Risk and Exploitability

The vulnerability is remotely exploitable through the web interface where the password reset function is exposed, assuming the attacker can determine a valid account ID. While EPSS data is not available and the entry is not listed in the CISA KEV catalog, the ability to take over any account grants significant confidentiality, integrity and availability risk. No CVSS score is provided, but based solely on the described impact, the security community would rate the severity as high.

Generated by OpenCVE AI on May 5, 2026 at 15:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Gambio to the 2024‑02 v1.0.0 patch or later for GX4 v4.0.0.0 to v4.9.2.0.
  • Disable or protect the password‑reset endpoint by requiring a one‑time token or CAPTCHA to prevent automated exploitation.
  • Enable multi‑factor authentication for all critical user accounts and monitor for unusual password‑change activity.

Generated by OpenCVE AI on May 5, 2026 at 15:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 05 May 2026 16:00:00 +0000

Type Values Removed Values Added
First Time appeared Gambio
Gambio gambio
Vendors & Products Gambio
Gambio gambio

Tue, 05 May 2026 15:45:00 +0000

Type Values Removed Values Added
Title Password Reset Bypass in Gambio 4.9.2.0 Enables Arbitrary Password Setting
Weaknesses CWE-287

Tue, 05 May 2026 14:00:00 +0000

Type Values Removed Values Added
Description An issue was discovered in Gambio 4.9.2.0 (patched in 2024-02 v1.0.0 for GX4 v4.0.0.0 to v4.9.2.0). The password reset function can be bypassed to set arbitrary passwords for arbitrary accounts if the ID is known.
References

Subscriptions

Gambio Gambio
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-05T13:29:49.337Z

Reserved: 2026-03-27T00:00:00.000Z

Link: CVE-2026-34408

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-05T14:16:08.623

Modified: 2026-05-05T14:16:08.623

Link: CVE-2026-34408

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-05T16:00:17Z

Weaknesses