Fy0Lai

**Name of the Vulnerable Software and Affected Versions** Runtipi versions prior to 4.8.0 **Description** Runtipi is a personal homeserver orchestrator. An unauthenticated attacker can reset the operator (admin) password when a password-reset request is active, leading to full account takeover. The API endpoint ''/api/auth/reset-password'' is exposed without authentication or authorization checks. During the 15-minute reset window, any remote user can set a new operator password and log in as administrator. **Recommendations** Update to version 4.8.0 or later.