CVE-2025-56449

CVSS 8.2 HIGHEPSS 0.4%CWE-290

Vexday Risk Score

21Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 8.2EPSS 0.4%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

29 Sep 2025Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

A security vulnerability was identified in Obsidian Scheduler's REST API 5.0.0 thru 6.3.0. If an account is locked out due to not enrolling in MFA (e.g. after the 7-day enforcement window), the REST API still allows the use of Basic Authentication to authenticate and perform administrative actions. In particular, the default admin account was found to be locked out via the web interface but still usable through the REST API. This allowed creation of a new privileged user, bypassing MFA protections. This undermines the intended security posture of MFA enforcement.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Affected products

n/a · n/a

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://blog.gregscharf.com/2025/07/11/upcoming-vulnerability-advisory/https://blog.gregscharf.com/2025/07/31/obsidian-scheduler-access-control-vulnerability/https://wiki.obsidianscheduler.com/docs/Release_Notes#Obsidian_6.3.1