Description
OctoPrint is a web interface for 3D printer.s OctoPrint versions up until and including 1.9.3 contain a vulnerability that allows malicious admins to change the password of other admin accounts, including their own, without having to repeat their password. An attacker who managed to hijack an admin account might use this to lock out actual admins from their OctoPrint instance. The vulnerability will be patched in version 1.10.0.
References (3)
Core 3
Core References
Third Party Advisory x_refsource_confirm
https://github.com/OctoPrint/OctoPrint/security/advisories/GHSA-5626-pw9c-hmjr
Patch x_refsource_misc
https://github.com/OctoPrint/OctoPrint/commit/1729d167b4ae4a5835bbc7211b92c6828b1c4125
Release Notes x_refsource_misc
https://github.com/OctoPrint/OctoPrint/releases/tag/1.10.0rc1
Scores
CVSS v3
4.2
EPSS
0.0052
EPSS Percentile
39.7%
Attack Vector
LOCAL
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
no
Technical Impact
partial
Details
CWE
CWE-620
CWE-287
Status
published
Products (2)
octoprint/octoprint
< 1.9.3
pypi/OctoPrint
0 - 1.10.0rc1PyPI
Published
Jan 31, 2024
Tracked Since
Feb 18, 2026