Unauthenticated Configuration Modifications in Dashy by Lissy93
CVE-2026-46485

8.2HIGH

Key Information:

Vendor

Lissy93

Status
Vendor
CVE Published:
15 July 2026

What is CVE-2026-46485?

Dashy, a self-hostable personal dashboard, is susceptible to a vulnerability that can be exploited by unauthenticated users or non-admin authenticated users. This arises in Dashy deployments utilizing OpenID Connect (OIDC) prior to version 4.0.8, allowing these users to write unintended changes to the main config.yaml file. Although permissions are configured, the flaw in the config-saving functionality enables unauthorized modifications. This could lead to disruptions in dashboard configurations and overall service functionality. The issue has been addressed in Dashy version 4.0.8.

Affected Version(s)

dashy < 4.0.8

References

CVSS V3.1

Score:
8.2
Severity:
HIGH
Confidentiality:
None
Integrity:
High
Availability:
None
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.