Obsidian Scheduler REST API Vulnerability in Credential Management
CVE-2025-56449

8.2HIGH

Key Information:

Vendor: Obsidian Scheduler
Status: Obsidian Scheduler
Vendor: CVE Published:; 29 September 2025

🔔 Create Obsidian Scheduler Vulnerability Alert

What is CVE-2025-56449?

A significant vulnerability exists in the Obsidian Scheduler's REST API that allows attackers to perform administrative actions using Basic Authentication, even when their accounts are locked out due to non-enrollment in Multi-Factor Authentication (MFA). Despite the enforcement of MFA policies intended to secure administrative access, users can authenticate and create new privileged accounts, thereby undermining the effectiveness of MFA. This flaw raises critical concerns about the integrity of user account security and necessitates immediate attention to mitigate potential exploitation.

Human OS v1.0:
Ageing Is an Unpatched Zero-Day Vulnerability.

Remediate biological technical debt. Prime Ageing uses 95% high-purity SIRT6 activation to maintain genomic integrity and bolster systemic resilience.

Deploy the Patch

References

https://blog.gregscharf.com/2025/07/11/upcoming-vulnerabi...

https://blog.gregscharf.com/2025/07/31/obsidian-scheduler...

https://wiki.obsidianscheduler.com/docs/Release_Notes#Obs...

CVSS V3.1

Score:

8.2

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Sep 29, 2025
Vulnerability Reserved
Aug 17, 2025

JSON