LimeSurvey Password Reset Host Header Injection Discloses Reset Token
CVE-2026-50635

8.7HIGH

Key Information:

Vendor: Limesurvey
Status: Limesurvey
Vendor: CVE Published:; 9 June 2026

What is CVE-2026-50635?

LimeSurvey constructs account password-reset links from the client-supplied HTTP Host header without validating it. The optional allowedHosts allowlist that would constrain this is undefined in the default (and documented) configuration, so LSHttpRequest::checkIsAllowedHost() results in no operation. A remote, unauthenticated attacker who submits a forgotten-password request for a known account (requiring only the target's username and email) with a spoofed Host header causes LimeSurvey to email that account a reset link whose hostname is attacker-controlled while embedding the genuine validation_key. When the recipient or an automated inbound mail-security link scanner dereferences the link, the valid reset token is disclosed to the attacker, who replays it against the legitimate host's newPassword endpoint to set a new password and take over the account.

Affected Version(s)

LimeSurvey 0 <= 7.0

References

https://github.com/LimeSurvey/LimeSurvey/pull/5032

patch

https://www.limesurvey.org/

product

https://www.vulncheck.com/advisories/limesurvey-password-...

third-party-advisory

CVSS V4

Score:

8.7

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

None

Privileges Required:

Undefined

User Interaction:

Unknown

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 9, 2026
Vulnerability Reserved
Jun 5, 2026

Credit

McCaulay Hudson (@_McCaulay) of watchTowr

CVE-2026-50635 Data

JSON

Limesurvey

What is CVE-2026-50635?

Affected Version(s)

References

CVSS V4

Timeline

Credit