Obsidian Scheduler REST API Vulnerability in Credential Management
CVE-2025-56449

Currently unrated

Key Information:

Vendor: Obsidian Scheduler
Status: Obsidian Scheduler
Vendor: CVE Published:; 29 September 2025

🔔 Create Obsidian Scheduler Vulnerability Alert

What is CVE-2025-56449?

A significant vulnerability exists in the Obsidian Scheduler's REST API that allows attackers to perform administrative actions using Basic Authentication, even when their accounts are locked out due to non-enrollment in Multi-Factor Authentication (MFA). Despite the enforcement of MFA policies intended to secure administrative access, users can authenticate and create new privileged accounts, thereby undermining the effectiveness of MFA. This flaw raises critical concerns about the integrity of user account security and necessitates immediate attention to mitigate potential exploitation.

References

https://blog.gregscharf.com/2025/07/11/upcoming-vulnerabi...

https://blog.gregscharf.com/2025/07/31/obsidian-scheduler...

https://wiki.obsidianscheduler.com/docs/Release_Notes#Obs...

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 29, 2025
Vulnerability Reserved
Aug 17, 2025

JSON