CVE-2026-33318

Name of the Vulnerable Software and Affected Versions Actual versions prior to 26.4.0

Description Authenticated users, including those with the BASIC role, can escalate their privileges to ADMIN on servers that migrated from password authentication to OpenID Connect. This is possible through an exploit chain involving three weaknesses. First, the endpoint '/account/change-password' lacks authorization checks, allowing any session to overwrite the password hash. Second, the password auth row is not removed during migration, leaving an orphaned target. Third, the login endpoint accepts a client-supplied loginMethod variable, which can be used to bypass the server's active authentication configuration. By chaining these, an attacker can set a known password and authenticate as the anonymous admin account created during multiuser migration.

Recommendations Update to version 26.4.0. As a temporary workaround, administrators who have fully migrated to OpenID and do not require password authentication can remove the orphaned row by executing: DELETE FROM auth WHERE method = 'password';