Description
Cerebrate before version 1.37 exposed credential material from self-registration requests. The self-registration workflow stored the registrant’s hashed password in the inbox message data payload. This payload was returned unredacted through inbox index and view responses, including HTML, JSON, and CSV outputs, and could also be written unredacted into audit log entries for the inbox message.

An authenticated user with sufficient privileges to access inbox entries or related audit logs could retrieve password hashes associated with pending self-registration requests. Although the exposed value is a password hash rather than a plaintext password, disclosure of password hashes may enable offline password-cracking attempts and could increase risk where users reuse passwords across systems.

Cerebrate 1.37 fixes the issue by redacting sensitive password and authkey fields from inbox display/API output and recursively redacting those fields from JSON values written to audit logs, while leaving the stored registration payload intact for account creation processing.



Affected component: Inbox self-registration request handling and audit logging

Fixed version: Cerebrate 1.37
Published: 2026-06-11
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Cerebrate users experiencing self‑registration requests had their hashed passwords stored in the inbox message payload and subsequently returned via inbox index, view, and audit log endpoints in raw form. The exposed data is a password hash rather than plaintext, but disclosure facilitates offline password‑cracking attempts and can pose additional risk if users reuse passwords across environments. The weakness falls under CWE‑200, a confidentiality breach.

Affected Systems

The vulnerability affects Cerebrate prior to version 1.37. The Inbox self‑registration request handling and audit logging components exhibit the flaw. Versions 1.37 and later have the fix applied.

Risk and Exploitability

The CVSS score of 5.1 indicates a moderate impact with a 10% impact rating under the CVSS v3.1 formula. The EPSS score is not available, but the vulnerability is not listed in CISA’s KEV catalog, suggesting no current publicly known exploitation. An attacker must be authenticated with sufficient privileges to access inbox entries or related audit logs, making the attack vector limited to privileged accounts. Once accessed, the attacker can retrieve plain hashed passwords for pending registration requests and potentially use offline cracking methods to compromise user accounts.

Generated by OpenCVE AI on June 11, 2026 at 12:26 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Cerebrate to version 1.37 or later to ensure password and auth key fields are redacted from inbox display and audit log output.
  • If an immediate upgrade is not possible, limit access to inbox entry and audit log endpoints to the minimum required privileged users, and consider disabling self‑registration or audit export features until the patch can be applied.
  • Enforce strong password policies, including length and complexity restrictions, and educate users against password reuse to reduce the impact of any exposed password hashes.

Generated by OpenCVE AI on June 11, 2026 at 12:26 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 11 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 11 Jun 2026 11:30:00 +0000

Type Values Removed Values Added
Description Cerebrate before version 1.37 exposed credential material from self-registration requests. The self-registration workflow stored the registrant’s hashed password in the inbox message data payload. This payload was returned unredacted through inbox index and view responses, including HTML, JSON, and CSV outputs, and could also be written unredacted into audit log entries for the inbox message. An authenticated user with sufficient privileges to access inbox entries or related audit logs could retrieve password hashes associated with pending self-registration requests. Although the exposed value is a password hash rather than a plaintext password, disclosure of password hashes may enable offline password-cracking attempts and could increase risk where users reuse passwords across systems. Cerebrate 1.37 fixes the issue by redacting sensitive password and authkey fields from inbox display/API output and recursively redacting those fields from JSON values written to audit logs, while leaving the stored registration payload intact for account creation processing. Affected component: Inbox self-registration request handling and audit logging Fixed version: Cerebrate 1.37
Title Cerebrate self-registration password hash exposure via inbox and audit log views
Weaknesses CWE-200
References
Metrics cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:N/VA:N/SC:L/SI:N/SA:N/S:N/U:Green'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: CIRCL

Published:

Updated: 2026-06-11T12:42:07.109Z

Reserved: 2026-06-11T10:02:55.809Z

Link: CVE-2026-53912

cve-icon Vulnrichment

Updated: 2026-06-11T12:42:02.745Z

cve-icon NVD

Status : Received

Published: 2026-06-11T12:16:31.960

Modified: 2026-06-11T12:16:31.960

Link: CVE-2026-53912

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-11T12:30:14Z

Weaknesses
  • CWE-200

    Exposure of Sensitive Information to an Unauthorized Actor