CVE-2026-34072

HIGH

cronmaster: Middleware authentication bypass enabling unauthorized page access and server-action execution

Title source: cna

Description

Cr*nMaster (cronmaster) is a Cronjob management UI with human readable syntax, live logging and log history for cronjobs. Prior to version 2.2.0, an authentication bypass in middleware allows unauthenticated requests with an invalid session cookie to be treated as authenticated when the middleware’s session-validation fetch fails. This can result in unauthorized access to protected pages and unauthorized execution of privileged Next.js Server Actions. This issue has been patched in version 2.2.0.

References (2)

[X_Refsource_Confirm] https://github.com/fccview/cronmaster/security/advisories/GHSA-9whh-mffv-xvh6

[X_Refsource_Misc] https://github.com/fccview/cronmaster/releases/tag/2.2.0

Scores

CVSS v3 8.3

EPSS 0.0006

EPSS Percentile 17.6%

Attack Vector ADJACENT_NETWORK

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-287 CWE-306 CWE-693

Status published

Products (1)

fccview/cronmaster < 2.2.0

Published Apr 01, 2026

Tracked Since Apr 01, 2026