Greg Scharf

**Name of the Vulnerable Software and Affected Versions** Obsidian Scheduler versions 5.0.0 through 6.3.0 **Description** A security issue exists in the Obsidian Scheduler REST API. If an account is locked out due to not enrolling in Multi-Factor Authentication (MFA), the REST API continues to permit the use of Basic Authentication for administrative tasks. Specifically, the default admin account, even when locked out through the web interface, remains usable via the REST API. This allows for the creation of new privileged users, circumventing MFA protections and weakening the intended security measures. The API endpoints involved allow administrative actions despite the account lockout. The vulnerable parameter is the authentication method allowing Basic Authentication when MFA is required. **Recommendations** For versions 5.0.0 through 6.3.0, restrict the use of Basic Authentication when MFA is enforced.