Brute-Force Vulnerability in PasswordPusher by PasswordPusher
CVE-2026-61458
8.7HIGH
What is CVE-2026-61458?
The PasswordPusher application prior to version 2.9.2 exhibits a significant brute-force vulnerability in the POST /p/:token/access endpoint. This vulnerability arises due to the absence of route-specific rate limiting and push-specific lockout mechanisms. As a result, an attacker with knowledge of a push token can execute up to 120 passphrase attempts per minute without facing any deterrents. This flaw makes it feasible for attackers to recover short or dictionary-derived passphrases within a matter of hours or days, thereby compromising the intended security of the platform.
Affected Version(s)
PasswordPusher 0 < 2.9.2
PasswordPusher 2.9.2
