CVE-2026-31881

Name of the Vulnerable Software and Affected Versions Runtipi versions prior to 4.8.0

Description Runtipi is a personal homeserver orchestrator. An unauthenticated attacker can reset the operator (admin) password when a password-reset request is active, leading to full account takeover. The API endpoint ''/api/auth/reset-password'' is exposed without authentication or authorization checks. During the 15-minute reset window, any remote user can set a new operator password and log in as administrator.

Recommendations Update to version 4.8.0 or later.