Authentication Flaw in Penpot Design Tool Exposes User Invitations and Profile Takeover Risk
CVE-2026-44986
9.9CRITICAL
What is CVE-2026-44986?
Penpot is an open-source design tool that facilitates collaboration between design and code. Prior to its 2.14.5 release, it contained a vulnerability where invitation tokens for team invitations were exposed, allowing unauthorized individuals to exploit these tokens. The software improperly handled user authentication by embedding an existing profile ID in the registration process, enabling a registered user to take control of any non-blocked profile without necessitating password verification. This flaw highlights significant risks regarding user privacy and security within the platform, necessitating prompt updates to secure the application.
Affected Version(s)
penpot < 2.14.5
