CVE-2025-55796

Name of the Vulnerable Software and Affected Versions openml/openml.org web application version v2.0.20241110

Description The web application generates predictable tokens based on MD5 hashing for critical user actions, including signup confirmation, password resets, email confirmation resends, and email change confirmation. These tokens are created by hashing the current timestamp formatted as "%d %H:%M:%S" without user-specific data or cryptographic randomness. This predictability allows attackers to brute-force valid tokens within a short timeframe, potentially enabling unauthorized account confirmation, password resets, and email change approvals, which could lead to account takeover.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.