Description
Cronicle is a multi-server task scheduler and runner, with a web based front-end UI. Prior to 0.9.111, jb child processes can include an update_event key in their JSON output. The server applies this directly to the parent event's stored configuration without any authorization check. A low-privilege user who can create and run events can modify any event property, including webhook URLs and notification emails. This vulnerability is fixed in 0.9.111.
Published: 2026-04-07
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation via unauthorized event modification
Action: Patch immediately
AI Analysis

Impact

Cronicle is a multi‑server task scheduler with a web‑based UI. Prior to version 0.9.111 child processes can emit JSON that contains an update_event key. The server applies this key directly to the parent event’s stored configuration without checking the user’s authorization. An attacker who can create and run events therefore gains the ability to modify any event property, including webhook URLs and notification emails, which is a form of privilege escalation. The weakness is classed as CWE‑862, indicating improper authorization.

Affected Systems

All installations of jhuckaby Cronicle older than 0.9.111 are affected. The vulnerability requires that the user have permission to create or run events on the server, meaning users with the ability to schedule jobs can exploit it.

Risk and Exploitability

The CVSS score of 5.3 indicates moderate severity. EPSS data is not available and the issue is not listed in the CISA KEV catalog, suggesting no widely known exploitation yet. The attack vector is inferred to be the ability to schedule and execute jobs locally on the server, with the attacker injecting the update_event field to alter event behavior.

Generated by OpenCVE AI on April 8, 2026 at 00:22 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Cronicle to version 0.9.111 or later to eliminate the flaw.

Generated by OpenCVE AI on April 8, 2026 at 00:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 15 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Cronicle
Cronicle cronicle
CPEs cpe:2.3:a:cronicle:cronicle:*:*:*:*:*:*:*:*
Vendors & Products Cronicle
Cronicle cronicle
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

Wed, 08 Apr 2026 19:45:00 +0000

Type Values Removed Values Added
First Time appeared Jhuckaby
Jhuckaby cronicle
Vendors & Products Jhuckaby
Jhuckaby cronicle

Wed, 08 Apr 2026 17:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 07 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
Description Cronicle is a multi-server task scheduler and runner, with a web based front-end UI. Prior to 0.9.111, jb child processes can include an update_event key in their JSON output. The server applies this directly to the parent event's stored configuration without any authorization check. A low-privilege user who can create and run events can modify any event property, including webhook URLs and notification emails. This vulnerability is fixed in 0.9.111.
Title Privilege Escalation via update_event Job Output in Cronicle
Weaknesses CWE-862
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Cronicle Cronicle
Jhuckaby Cronicle
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-08T16:14:54.345Z

Reserved: 2026-04-06T22:06:40.516Z

Link: CVE-2026-39401

cve-icon Vulnrichment

Updated: 2026-04-08T16:11:38.507Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-07T21:17:18.547

Modified: 2026-06-17T10:42:03.383

Link: CVE-2026-39401

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:45:48Z

Weaknesses