Description
Scoold is a Q&A and a knowledge sharing platform for teams. Prior to version 1.67.0, Scoold allows the admins configuration value to be modified through /api/config/set/admins with a forged Bearer token that is accepted as an admin API token. Once that setting is changed, the target email address is written to the application configuration file. The change does not become active immediately in the current process, because the ADMINS set is loaded once at startup. After a Scoold restart, though, the selected user is recognized as an administrator and gains access to the admin panel. This issue gives an attacker a reliable persistence path: write their own email into scoold.admins, wait for a restart or trigger one operationally, and the account comes back as admin. This issue has been patched in version 1.67.0.
Published: 2026-05-08
Score: 6.7 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Scoold’s /api/config/set/admins endpoint allowed an attacker to overwrite the configuration setting that lists administrator email addresses. By forging a Bearer JWT that the application mistakenly accepted as an admin token, the attacker could write an arbitrary email into the scoold.admins configuration key. The change is not applied until the application restarts, giving the attacker a reliable persistence mechanism: after a restart the account is granted full administrative access to the web interface. This flaw is rooted in missing validation of the JWT’s jti claim, which constitutes an authentication bypass weakness (CWE‑306).

Affected Systems

Erudika Scoold versions prior to 1.67.0 are affected. The issue was fixed in the 1.67.0 release. Any deployment using an older build with the /api/config/set/admins endpoint exposed remains vulnerable.

Risk and Exploitability

The CVSS score of 6.7 indicates a moderate severity, yet the persistence path dramatically increases long‑term impact. Exploitation requires remote access to the vulnerable API endpoint and the ability to forge a JWT; no specialized hardware is needed. EPSS data is currently unavailable, and the vulnerability is not listed in the CISA KEV catalog, but the attack vector and persistence make it a high‑risk issue for organizational security.

Generated by OpenCVE AI on May 8, 2026 at 20:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Scoold to version 1.67.0 or later to apply the vendor patch that removes the admin configuration write flaw.
  • If an immediate upgrade is not possible, temporarily disable the /api/config/set/admins endpoint or restrict its use to trusted IP addresses to prevent unauthorized modifications.
  • Revoke any existing forged JWTs or clear the admin configuration key if compromised, and enforce strict token validation that requires a valid jti claim (CWE‑306 mitigation).

Generated by OpenCVE AI on May 8, 2026 at 20:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 08 May 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Erudika
Erudika scoold
Vendors & Products Erudika
Erudika scoold

Fri, 08 May 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Fri, 08 May 2026 19:30:00 +0000

Type Values Removed Values Added
Description Scoold is a Q&A and a knowledge sharing platform for teams. Prior to version 1.67.0, Scoold allows the admins configuration value to be modified through /api/config/set/admins with a forged Bearer token that is accepted as an admin API token. Once that setting is changed, the target email address is written to the application configuration file. The change does not become active immediately in the current process, because the ADMINS set is loaded once at startup. After a Scoold restart, though, the selected user is recognized as an administrator and gains access to the admin panel. This issue gives an attacker a reliable persistence path: write their own email into scoold.admins, wait for a restart or trigger one operationally, and the account comes back as admin. This issue has been patched in version 1.67.0.
Title Scoold: Persistent Admin Takeover by Overwriting the admins Configuration Setting via Forged JWT (missing `jti` validation)
Weaknesses CWE-306
References
Metrics cvssV3_1

{'score': 6.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:L'}

Subscriptions

Erudika Scoold
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-08T19:31:42.697Z

Reserved: 2026-04-25T01:53:21.582Z

Link: CVE-2026-42176

cve-icon Vulnrichment

Updated: 2026-05-08T19:31:28.568Z

cve-icon NVD

Status : Received

Published: 2026-05-08T20:16:30.873

Modified: 2026-05-08T20:16:30.873

Link: CVE-2026-42176

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-08T22:30:18Z

Weaknesses