{"api_version":"1","generated_at":"2026-04-25T10:14:18+00:00","cve":"CVE-2026-34072","urls":{"html":"https://cve.report/CVE-2026-34072","api":"https://cve.report/api/cve/CVE-2026-34072.json","docs":"https://cve.report/api","cve_org":"https://www.cve.org/CVERecord?id=CVE-2026-34072","nvd":"https://nvd.nist.gov/vuln/detail/CVE-2026-34072"},"summary":{"title":"cronmaster: Middleware authentication bypass enabling unauthorized page access and server-action execution","description":"Cr*nMaster (cronmaster) is a Cronjob management UI with human readable syntax, live logging and log history for cronjobs. Prior to version 2.2.0, an authentication bypass in middleware allows unauthenticated requests with an invalid session cookie to be treated as authenticated when the middleware’s session-validation fetch fails. This can result in unauthorized access to protected pages and unauthorized execution of privileged Next.js Server Actions. This issue has been patched in version 2.2.0.","state":"PUBLISHED","assigner":"GitHub_M","published_at":"2026-04-01 18:16:29","updated_at":"2026-04-03 16:10:52"},"problem_types":["CWE-287","CWE-306","CWE-693","CWE-287 CWE-287: Improper Authentication","CWE-306 CWE-306: Missing Authentication for Critical Function","CWE-693 CWE-693: Protection Mechanism Failure"],"metrics":[{"version":"3.1","source":"security-advisories@github.com","type":"Secondary","score":"8.3","severity":"HIGH","vector":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L","data":{"version":"3.1","vectorString":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L","baseScore":8.3,"baseSeverity":"HIGH","attackVector":"ADJACENT_NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"LOW"}},{"version":"3.1","source":"CNA","type":"DECLARED","score":"8.3","severity":"HIGH","vector":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L","data":{"attackComplexity":"LOW","attackVector":"ADJACENT_NETWORK","availabilityImpact":"LOW","baseScore":8.3,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L","version":"3.1"}}],"references":[{"url":"https://github.com/fccview/cronmaster/releases/tag/2.2.0","name":"https://github.com/fccview/cronmaster/releases/tag/2.2.0","refsource":"security-advisories@github.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://github.com/fccview/cronmaster/security/advisories/GHSA-9whh-mffv-xvh6","name":"https://github.com/fccview/cronmaster/security/advisories/GHSA-9whh-mffv-xvh6","refsource":"security-advisories@github.com","tags":[],"title":"","mime":"","httpstatus":"","archivestatus":"0"},{"url":"https://www.cve.org/CVERecord?id=CVE-2026-34072","name":"CVE Program record","refsource":"CVE.ORG","tags":["canonical"]},{"url":"https://nvd.nist.gov/vuln/detail/CVE-2026-34072","name":"NVD vulnerability detail","refsource":"NVD","tags":["canonical","analysis"]}],"affected":[{"source":"CNA","vendor":"fccview","product":"cronmaster","version":"affected < 2.2.0","platforms":[]}],"timeline":[],"solutions":[],"workarounds":[],"exploits":[],"credits":[],"nvd_cpes":[],"vendor_comments":[],"enrichments":{"kev":null,"epss":{"cve_year":"2026","cve_id":"34072","cve":"CVE-2026-34072","epss":"0.000500000","percentile":"0.153420000","score_date":"2026-04-07","updated_at":"2026-04-08 00:03:39"},"legacy_qids":[]},"source_records":{"cve_program":{"containers":{"adp":[{"metrics":[{"other":{"content":{"id":"CVE-2026-34072","options":[{"Exploitation":"none"},{"Automatable":"no"},{"Technical Impact":"total"}],"role":"CISA Coordinator","timestamp":"2026-04-01T17:45:02.731849Z","version":"2.0.3"},"type":"ssvc"}}],"providerMetadata":{"dateUpdated":"2026-04-01T17:45:11.248Z","orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP"},"title":"CISA ADP Vulnrichment"}],"cna":{"affected":[{"product":"cronmaster","vendor":"fccview","versions":[{"status":"affected","version":"< 2.2.0"}]}],"descriptions":[{"lang":"en","value":"Cr*nMaster (cronmaster) is a Cronjob management UI with human readable syntax, live logging and log history for cronjobs. Prior to version 2.2.0, an authentication bypass in middleware allows unauthenticated requests with an invalid session cookie to be treated as authenticated when the middleware’s session-validation fetch fails. This can result in unauthorized access to protected pages and unauthorized execution of privileged Next.js Server Actions. This issue has been patched in version 2.2.0."}],"metrics":[{"cvssV3_1":{"attackComplexity":"LOW","attackVector":"ADJACENT_NETWORK","availabilityImpact":"LOW","baseScore":8.3,"baseSeverity":"HIGH","confidentialityImpact":"HIGH","integrityImpact":"HIGH","privilegesRequired":"NONE","scope":"UNCHANGED","userInteraction":"NONE","vectorString":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L","version":"3.1"}}],"problemTypes":[{"descriptions":[{"cweId":"CWE-287","description":"CWE-287: Improper Authentication","lang":"en","type":"CWE"}]},{"descriptions":[{"cweId":"CWE-306","description":"CWE-306: Missing Authentication for Critical Function","lang":"en","type":"CWE"}]},{"descriptions":[{"cweId":"CWE-693","description":"CWE-693: Protection Mechanism Failure","lang":"en","type":"CWE"}]}],"providerMetadata":{"dateUpdated":"2026-04-01T16:51:33.306Z","orgId":"a0819718-46f1-4df5-94e2-005712e83aaa","shortName":"GitHub_M"},"references":[{"name":"https://github.com/fccview/cronmaster/security/advisories/GHSA-9whh-mffv-xvh6","tags":["x_refsource_CONFIRM"],"url":"https://github.com/fccview/cronmaster/security/advisories/GHSA-9whh-mffv-xvh6"},{"name":"https://github.com/fccview/cronmaster/releases/tag/2.2.0","tags":["x_refsource_MISC"],"url":"https://github.com/fccview/cronmaster/releases/tag/2.2.0"}],"source":{"advisory":"GHSA-9whh-mffv-xvh6","discovery":"UNKNOWN"},"title":"cronmaster: Middleware authentication bypass enabling unauthorized page access and server-action execution"}},"cveMetadata":{"assignerOrgId":"a0819718-46f1-4df5-94e2-005712e83aaa","assignerShortName":"GitHub_M","cveId":"CVE-2026-34072","datePublished":"2026-04-01T16:51:33.306Z","dateReserved":"2026-03-25T16:21:40.867Z","dateUpdated":"2026-04-01T17:45:11.248Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.2"},"nvd":{"publishedDate":"2026-04-01 18:16:29","lastModifiedDate":"2026-04-03 16:10:52","problem_types":["CWE-287","CWE-306","CWE-693","CWE-287 CWE-287: Improper Authentication","CWE-306 CWE-306: Missing Authentication for Critical Function","CWE-693 CWE-693: Protection Mechanism Failure"],"metrics":{"cvssMetricV31":[{"source":"security-advisories@github.com","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L","baseScore":8.3,"baseSeverity":"HIGH","attackVector":"ADJACENT_NETWORK","attackComplexity":"LOW","privilegesRequired":"NONE","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"HIGH","availabilityImpact":"LOW"},"exploitabilityScore":2.8,"impactScore":5.5}]},"configurations":[]},"legacy_mitre":{"record":{"CveYear":"2026","CveId":"34072","Ordinal":"1","Title":"cronmaster: Middleware authentication bypass enabling unauthoriz","CVE":"CVE-2026-34072","Year":"2026"},"notes":[{"CveYear":"2026","CveId":"34072","Ordinal":"1","NoteData":"Cr*nMaster (cronmaster) is a Cronjob management UI with human readable syntax, live logging and log history for cronjobs. Prior to version 2.2.0, an authentication bypass in middleware allows unauthenticated requests with an invalid session cookie to be treated as authenticated when the middleware’s session-validation fetch fails. This can result in unauthorized access to protected pages and unauthorized execution of privileged Next.js Server Actions. This issue has been patched in version 2.2.0.","Type":"Description","Title":"cronmaster: Middleware authentication bypass enabling unauthoriz"}]}}}