Authentication Flaw in Penpot Design Tool Exposes User Invitations and Profile Takeover Risk
CVE-2026-44986

9.9CRITICAL

Key Information:

Vendor

Penpot

Status
Vendor
CVE Published:
15 July 2026

What is CVE-2026-44986?

Penpot is an open-source design tool that facilitates collaboration between design and code. Prior to its 2.14.5 release, it contained a vulnerability where invitation tokens for team invitations were exposed, allowing unauthorized individuals to exploit these tokens. The software improperly handled user authentication by embedding an existing profile ID in the registration process, enabling a registered user to take control of any non-blocked profile without necessitating password verification. This flaw highlights significant risks regarding user privacy and security within the platform, necessitating prompt updates to secure the application.

Affected Version(s)

penpot < 2.14.5

References

CVSS V3.1

Score:
9.9
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Changed

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.