CVE-2021-36758
MEDIUM1Password Connect < 1.2 - Privilege Escalation via Secrets Automation Access Token
Title source: llmDescription
1Password Connect server before 1.2 is missing validation checks, permitting users to create Secrets Automation access tokens that can be used to perform privilege escalation. Malicious users authorized to create Secrets Automation access tokens can create tokens that have access beyond what the user is authorized to access, but limited to the existing authorizations of the Secret Automation the token is created in.
References (1)
Core 1
Core References
Patch, Vendor Advisory x_refsource_misc
https://support.1password.com/kb/202106/
Scores
CVSS v3
5.4
EPSS
0.0047
EPSS Percentile
37.5%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Details
CWE
CWE-20
CWE-863
Status
published
Products (1)
1password/connect
< 1.2
Published
Jul 16, 2021
Tracked Since
Feb 18, 2026