CVE-2024-32977

HIGH

OctoPrint <= 1.10.0 - Unauthenticated Authentication Bypass via X-Forwarded-For Header Spoofing

Title source: llm

Description

OctoPrint provides a web interface for controlling consumer 3D printers. OctoPrint versions up until and including 1.10.0 contain a vulnerability that allows an unauthenticated attacker to completely bypass the authentication if the `autologinLocal` option is enabled within `config.yaml`, even if they come from networks that are not configured as `localNetworks`, spoofing their IP via the `X-Forwarded-For` header. If autologin is not enabled, this vulnerability does not have any impact. The vulnerability has been patched in version 1.10.1. Until the patch has been applied, OctoPrint administrators who have autologin enabled on their instances should disable it and/or to make the instance inaccessible from potentially hostile networks like the internet.

References (2)

Core 2

Core References

Exploit, Vendor Advisory x_refsource_confirm

https://github.com/OctoPrint/OctoPrint/security/advisories/GHSA-2vjq-hg5w-5gm7

Patch x_refsource_misc

https://github.com/OctoPrint/OctoPrint/commit/5afbec8d23508edc25b0f1bdef1620580136add4

View Patch ZIP pw:eip

Scores

CVSS v3 7.1

EPSS 0.0090

EPSS Percentile 54.7%

Attack Vector ADJACENT_NETWORK

CVSS:3.1/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-290

Status published

Products (2)

octoprint/octoprint < 1.10.1

pypi/OctoPrint 0 - 1.10.1PyPI

Published May 14, 2024

Tracked Since Feb 18, 2026