Description
Password Pusher is an open source application to communicate sensitive information over the web. Prior to versions 1.69.3 and 2.4.2, a security issue in OSS PasswordPusher allowed unauthenticated creation of file-type pushes through a generic JSON API create path under certain configurations. This could bypass the intended authentication boundary for file push creation. This issue has been patched in versions 1.69.3 and 2.4.2.
Published: 2026-05-08
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Password Pusher includes a generic JSON API create path at /p.json that permits file-type push creation. Prior to versions 1.69.3 and 2.4.2, this endpoint could be accessed without authentication under certain configurations, allowing an attacker to upload files or push sensitive information without credentials, violating the intended authentication boundary. The flaw results in a CWE‑288 authentication bypass, giving unauthorized access to data storage features.

Affected Systems

The affected vendor is pglombardo, product PasswordPusher. Versions older than 1.69.3 in the 1.x branch and older than 2.4.2 in the 2.x branch are vulnerable. Users running any prior release run the risk of unauthenticated file push creation.

Risk and Exploitability

The CVSS v3.1 score is 6.5, indicating moderate severity. EPSS is not available, and the vulnerability is not listed in the CISA KEV catalog. Because the attack requires only access to the /p.json endpoint, the likely vector is remote via the web interface or API. An attacker who can reach the endpoint can create file pushes without authentication, potentially exposing sensitive data or facilitating further exploitation. No special privileges or complex prerequisites are required beyond normal network access to the application.

Generated by OpenCVE AI on May 8, 2026 at 15:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update PasswordPusher to version 1.69.3 or newer for the 1.x branch, or 2.4.2 or newer for the 2.x branch.
  • Verify that the JSON API create path at /p.json is protected by authentication, and adjust the configuration to require valid credentials before creating file-type pushes.
  • If updating the software is not immediately possible, restrict external access to the /p.json endpoint using a reverse proxy or firewall rules until the patch is applied.

Generated by OpenCVE AI on May 8, 2026 at 15:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 08 May 2026 16:30:00 +0000

Type Values Removed Values Added
First Time appeared Pglombardo
Pglombardo password Pusher
Vendors & Products Pglombardo
Pglombardo password Pusher

Fri, 08 May 2026 14:45:00 +0000

Type Values Removed Values Added
Description Password Pusher is an open source application to communicate sensitive information over the web. Prior to versions 1.69.3 and 2.4.2, a security issue in OSS PasswordPusher allowed unauthenticated creation of file-type pushes through a generic JSON API create path under certain configurations. This could bypass the intended authentication boundary for file push creation. This issue has been patched in versions 1.69.3 and 2.4.2.
Title Password Pusher: JSON API `/p.json` file upload alias bypasses file-push authentication
Weaknesses CWE-288
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L'}

Subscriptions

Pglombardo Password Pusher
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-08T14:30:37.513Z

Reserved: 2026-04-20T14:01:46.670Z

Link: CVE-2026-41308

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-08T15:16:39.480

Modified: 2026-05-08T16:08:15.570

Link: CVE-2026-41308

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T16:15:12Z

Weaknesses