CVE-2025-56449

CVSS 8.2 HIGHEPSS 0.4%CWE-290

Vexday Risk Score

21Baixo

Decisão SSVC (CISA)

Track

Sem sinal de exploração → monitorar

CVSS 8.2EPSS 0.4%KEV nãoPoC —Nuclei —Metasploit —Patch —

Ciclo de vida

29 set 2025Publicada no NVD

Recomendação: Monitorar — sem sinal de exploração no momento.

A security vulnerability was identified in Obsidian Scheduler's REST API 5.0.0 thru 6.3.0. If an account is locked out due to not enrolling in MFA (e.g. after the 7-day enforcement window), the REST API still allows the use of Basic Authentication to authenticate and perform administrative actions. In particular, the default admin account was found to be locked out via the web interface but still usable through the REST API. This allowed creation of a new privileged user, bypassing MFA protections. This undermines the intended security posture of MFA enforcement.

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Produtos afetados

n/a · n/a

Quer saber se a sua infraestrutura está exposta a isto?

Falar com a TrueHacking →

Referências

https://blog.gregscharf.com/2025/07/11/upcoming-vulnerability-advisory/https://blog.gregscharf.com/2025/07/31/obsidian-scheduler-access-control-vulnerability/https://wiki.obsidianscheduler.com/docs/Release_Notes#Obsidian_6.3.1