CVE-2025-32788

MEDIUM

Octoprint < 1.11.0 - Authentication Bypass by Spoofing

Title source: rule

Description

OctoPrint provides a web interface for controlling consumer 3D printers. In versions up to and including 1.10.3, OctoPrint has a vulnerability that allows an attacker to bypass the login redirect and directly access the rendered HTML of certain frontend pages. The primary risk lies in potential future modifications to the codebase that might incorrectly rely on the vulnerable internal functions for authentication checks, leading to security vulnerabilities. This issue has been patched in version 1.11.0.

References (2)

[Vendor Advisory] https://github.com/OctoPrint/OctoPrint/security/advisories/GHSA-qw93-h6pf-226x

[Patch] https://github.com/OctoPrint/OctoPrint/commit/41ff431014edfa18ca1a01897b10463934dc7fc2

View Patch ZIP pw:eip

Scores

CVSS v3 4.3

EPSS 0.0009

EPSS Percentile 24.7%

Attack Vector ADJACENT_NETWORK

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-290

Status published

Products (2)

octoprint/octoprint < 1.11.0

pypi/OctoPrint 0 - 1.11.0PyPI

Published Apr 22, 2025

Tracked Since Feb 18, 2026