CVE-2024-51493

Name of the Vulnerable Software and Affected Versions OctoPrint versions up to and including 1.10.2

Description OctoPrint provides a web interface for controlling consumer 3D printers. The issue allows an attacker that has gained temporary control over an authenticated victim's OctoPrint browser session to retrieve, recreate, or delete the user's or the global API key without having to reauthenticate by re-entering the user account's password. An attacker could use a stolen API key to access OctoPrint through its API or disrupt workflows depending on the API key they deleted.

Recommendations For versions up to and including 1.10.2, upgrade to version 1.10.3 to patch the vulnerability. As a temporary workaround, consider restricting access to the API until the issue is resolved. Avoid using the API key in sensitive operations until the upgrade is applied.