2 matches found
CVE-2026-44986 Penpot: Pre-authenticated account takeover via team-invitation token + prepare-register-profile
Penpot is an open-source design tool for design and code collaboration. Prior to 2.14.5, Penpot exposed teamsinvitations.clj invitation tokens from create-team-invitations, embedded an existing profile id in auth.clj prepare-register-profile, and had auth.clj register-profile issue a session base...
CVE-2026-44986
CVE-2026-44986 affects Penpot prior to 2.14.5. The issue allows a pre-authenticated account takeover via team invitation tokens: tokens from create-team-invitations were exposed, an existing profile id was embedded in auth.clj prepare-register-profile, and auth.clj register-profile could issue a ...