Description
LimeSurvey constructs account password-reset links from the client-supplied HTTP Host header without validating it. The optional allowedHosts allowlist that would constrain this is undefined in the default (and documented) configuration, so LSHttpRequest::checkIsAllowedHost() results in no operation. A remote, unauthenticated attacker who submits a forgotten-password request for a known account (requiring only the target's username and email) with a spoofed Host header causes LimeSurvey to email that account a reset link whose hostname is attacker-controlled while embedding the genuine validation_key. When the recipient or an automated inbound mail-security link scanner dereferences the link, the valid reset token is disclosed to the attacker, who replays it against the legitimate host's newPassword endpoint to set a new password and take over the account.
Published: 2026-06-09
Score: 8.7 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

LimeSurvey builds password‑reset URLs directly from the HTTP Host header without validating the value. Because the optional allowedHosts setting is undefined in the default configuration, no host filtering occurs. An unauthenticated attacker who knows a user’s username and email can send a password‑reset request with a spoofed Host header. The system then emails the user a reset link that points to the attacker’s host but contains a valid, secret validation key. When the recipient or an automated mail‑security scanner follows the link, the attacker learns the secret key and can replay it against the legitimate LimeSurvey instance to reset the account password and take over the account. This results in unauthorized access to the victim’s account and the data it protects.

Affected Systems

The vulnerability affects all LimeSurvey installations that use the default configuration (where allowedHosts is unspecified). No specific version information was provided in the CVE data, so any deployed instance is potentially vulnerable.

Risk and Exploitability

With a CVSS score of 8.7 the flaw is considered high severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. An attacker can exploit it remotely by submitting a crafted HTTP request to the forgotten‑password endpoint; no prior authentication is needed. Successful exploitation results in compromise of the victim’s account and potential access to all data behind that account.

Generated by OpenCVE AI on June 9, 2026 at 21:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade LimeSurvey to the latest release that includes the host header validation fix for password‑reset links.
  • Configure the allowedHosts list to contain only legitimate hostnames and enable strict host header checking so that the system rejects any request with a Host header that is not on the list.
  • Disable or remove the use of the Host header when generating password‑reset URLs, or enforce HTTPS and redirect logic that guarantees the URL points to the legitimate server.

Generated by OpenCVE AI on June 9, 2026 at 21:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 09 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 09 Jun 2026 18:00:00 +0000

Type Values Removed Values Added
Description LimeSurvey constructs account password-reset links from the client-supplied HTTP Host header without validating it. The optional allowedHosts allowlist that would constrain this is undefined in the default (and documented) configuration, so LSHttpRequest::checkIsAllowedHost() results in no operation. A remote, unauthenticated attacker who submits a forgotten-password request for a known account (requiring only the target's username and email) with a spoofed Host header causes LimeSurvey to email that account a reset link whose hostname is attacker-controlled while embedding the genuine validation_key. When the recipient or an automated inbound mail-security link scanner dereferences the link, the valid reset token is disclosed to the attacker, who replays it against the legitimate host's newPassword endpoint to set a new password and take over the account.
Title LimeSurvey Password Reset Host Header Injection Discloses Reset Token
First Time appeared Limesurvey
Limesurvey limesurvey
Weaknesses CWE-640
CPEs cpe:2.3:a:limesurvey:limesurvey:*:*:*:*:*:*:*:*
Vendors & Products Limesurvey
Limesurvey limesurvey
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N'}

Subscriptions

Limesurvey Limesurvey
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-06-10T00:58:26.876Z

Reserved: 2026-06-05T11:53:55.168Z

Link: CVE-2026-50635

cve-icon Vulnrichment

Updated: 2026-06-09T18:22:35.370Z

cve-icon NVD

Status : Deferred

Published: 2026-06-09T18:17:10.273

Modified: 2026-06-09T19:36:10.547

Link: CVE-2026-50635

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-10T01:30:17Z

Weaknesses