Description
Tuist is a virtual platform team for Swift app devs. Prior to 1.180.10, the forgot password flow allows an unauthenticated attacker to repeatedly trigger password reset emails for a known account without server-side throttling. In self-hosted deployments, this can be abused to send large volumes of unwanted email and consume downstream email delivery resources. This vulnerability is fixed in 1.180.10.
Published: 2026-05-14
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A flaw in Tuist’s password‑reset mechanism allows an unauthenticated submitter to repeatedly request reset emails for a known account without any server‑side throttling. The attacker can therefore flood the email delivery system, consuming bandwidth, mail‑server resources, and potentially causing delays or denial of service for legitimate users. The weakness is a classic resource‑exhaustion issue (CWE‑770).

Affected Systems

The vulnerability affects all self‑hosted deployments of Tuist running any version prior to 1.180.10. The affected product is the Tuist platform for Swift application development. No other vendors or products are impacted.

Risk and Exploitability

The CVSS score of 6.9 indicates medium severity. EPSS data is not available, and the vulnerability is not listed in CISA’s KEV catalog, suggesting no known widespread exploitation yet. The likely attack vector is an unauthenticated user triggering many password‑reset requests, so the exploit does not require privileged access. Because the flaw can be abused to send large volumes of email, the risk is significant if the organization relies on its own email infrastructure. Nonetheless, the absence of documented exploits and the medium CVSS score moderate the overall risk.

Generated by OpenCVE AI on May 14, 2026 at 21:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Tuist to version 1.180.10 or later.
  • If an upgrade is not immediately possible, implement client‑side or network‑level rate limiting on the password‑reset endpoint to throttle requests per IP or account.
  • Monitor outbound email traffic for sudden spikes and apply email‑provider throttling rules to prevent service disruption.

Generated by OpenCVE AI on May 14, 2026 at 21:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 15 May 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Fri, 15 May 2026 11:45:00 +0000

Type Values Removed Values Added
First Time appeared Tuist
Tuist tuist
Vendors & Products Tuist
Tuist tuist

Thu, 14 May 2026 20:45:00 +0000

Type Values Removed Values Added
Description Tuist is a virtual platform team for Swift app devs. Prior to 1.180.10, the forgot password flow allows an unauthenticated attacker to repeatedly trigger password reset emails for a known account without server-side throttling. In self-hosted deployments, this can be abused to send large volumes of unwanted email and consume downstream email delivery resources. This vulnerability is fixed in 1.180.10.
Title Tuist: Forgot password flow lacks throttling for reset email delivery
Weaknesses CWE-770
References
Metrics cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:L'}

Subscriptions

Tuist Tuist
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-15T18:05:12.790Z

Reserved: 2026-05-07T16:20:08.660Z

Link: CVE-2026-44679

cve-icon Vulnrichment

Updated: 2026-05-15T15:37:09.453Z

cve-icon NVD

Status : Deferred

Published: 2026-05-14T21:16:47.780

Modified: 2026-05-15T14:53:48.823

Link: CVE-2026-44679

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-15T11:21:02Z

Weaknesses