Apostrophe has a Weak Password Recovery Mechanism for Forgotten Password and Improper Input Validation
CVE-2026-45013

8.1HIGH

Key Information:

Vendor: Apostrophecms
Status: Apostrophe
Vendor: CVE Published:; 12 June 2026

🔔 Create Apostrophecms Vulnerability Alert

What is CVE-2026-45013?

ApostropheCMS is an open-source Node.js content management system. Versions up to and including 4.29.0 have a password reset flow that constructs the reset URL using req.hostname, which is derived directly from the attacker-controlled HTTP Host header when apos.baseUrl is not explicitly configured. An unauthenticated attacker who knows a victim's email address can send a crafted reset request that causes the application to email the victim a reset link pointing to the attacker's domain. When the victim clicks the link, the valid reset token is delivered to the attacker, enabling full account takeover. As of time of publication, no known patched versions are available.

Affected Version(s)

apostrophe <= 4.29.0

References

https://github.com/apostrophecms/apostrophe/security/advi...

x_refsource_CONFIRM

CVSS V3.1

Score:

8.1

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 12, 2026
Vulnerability Reserved
May 8, 2026

CVE-2026-45013 Data

JSON