CVE-2026-40043

Name of the Vulnerable Software and Affected Versions Pachno version 1.0.6

Description An authentication bypass in the runSwitchUser() action allows authenticated low-privilege users to escalate privileges by manipulating the original username cookie. By setting this client-controlled cookie to any value and requesting a switch to user ID 1, an attacker can obtain session tokens or password hashes belonging to administrator accounts.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.