Access Control Vulnerability in Prosody Messaging Server by Prosody Software
CVE-2026-43504

6.5MEDIUM

Key Information:

Vendor: Prosody
Status: Prosody
Vendor: CVE Published:; 1 May 2026

What is CVE-2026-43504?

An access control vulnerability has been identified in Prosody messaging server versions before 0.12.6 and from version 1.0.0 to 13.0.0 before 13.0.5, specifically when mod_proxy65 is enabled. This issue occurs due to mishandling of access control during a paused state, which can inadvertently allow the relaying of unauthenticated traffic. Administrators are advised to update to the latest version to mitigate potential exploitation.

Affected Version(s)

Prosody 0 < 0.12.6

Prosody 1.0.0 < 13.0.5

References

https://www.openwall.com/lists/oss-security/2026/05/01/5

https://prosody.im/security/advisory_735dd9d3/

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

None

Integrity:

Low

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 1, 2026
Vulnerability Reserved
May 1, 2026

CVE-2026-43504 Data

JSON