Race Condition Vulnerability in Homarr Dashboard by Homarr Labs
CVE-2026-32602

4.2MEDIUM

Key Information:

Vendor: Homarr-labs
Status: Homarr
Vendor: CVE Published:; 6 April 2026

🔔 Create Homarr-labs Vulnerability Alert

What is CVE-2026-32602?

The Homarr Dashboard prior to version 1.57.0 is susceptible to a race condition in its user registration endpoint. This vulnerability enables an attacker to exploit the registration process, allowing them to create numerous user accounts using a single-use invite token. The user registration sequence involves three separate database operations—CHECK, CREATE, and DELETE—executed sequentially without a transactional framework. Due to the lack of atomicity, an attacker can send concurrent requests that all successfully pass the validation check before any request can execute the deletion of the invite token. This flaw in the registration logic effectively undermines the intended single-use nature of invite tokens, allowing malicious exploitation. The issue has been addressed in version 1.57.0.

Affected Version(s)

homarr < 1.57.0

References

https://github.com/homarr-labs/homarr/security/advisories...

x_refsource_CONFIRM

CVSS V3.1

Score:

4.2

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

High

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 6, 2026
Vulnerability Reserved
Mar 12, 2026

CVE-2026-32602 Data

JSON