Unauthenticated Configuration Modifications in Dashy by Lissy93
CVE-2026-46485
8.2HIGH
What is CVE-2026-46485?
Dashy, a self-hostable personal dashboard, is susceptible to a vulnerability that can be exploited by unauthenticated users or non-admin authenticated users. This arises in Dashy deployments utilizing OpenID Connect (OIDC) prior to version 4.0.8, allowing these users to write unintended changes to the main config.yaml file. Although permissions are configured, the flaw in the config-saving functionality enables unauthorized modifications. This could lead to disruptions in dashboard configurations and overall service functionality. The issue has been addressed in Dashy version 4.0.8.
Affected Version(s)
dashy < 4.0.8
