CVE-2020-11671
Description
Lack of authorization controls in REST API functions in TeamPass through 2.1.27.36 allows any TeamPass user with a valid API token to become a TeamPass administrator and read/modify all passwords via authenticated api/index.php REST API calls. NOTE: the API is not available by default.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
TeamPass REST API lacks authorization checks, allowing any API token user to gain admin privileges and access all passwords.
Vulnerability
Details The TeamPass REST API (api/index.php) lacks authorization checks for any function. Any authenticated user with a valid API token is treated as an administrator, allowing unrestricted access to all API endpoints [1][2].
Exploitation
The API is disabled by default, but if enabled, any user can generate an API key and send authenticated requests. The attacker can enumerate items by incrementing IDs, retrieving all passwords, and even create new administrative users via base64-encoded payloads [2].
Impact
An attacker can read all passwords, create new users with admin privileges, modify any item, and delete folders. This leads to complete compromise of the TeamPass instance [1][2].
Mitigation
The API should remain disabled unless absolutely necessary. As of version 2.1.27.36, no patch is available; users must restrict API access or disable it entirely [1].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
nilsteampassnet/teampassPackagist | <= 2.1.27.36 | — |
Affected products
2- TeamPass/TeamPassdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
3- github.com/advisories/GHSA-gmr7-m73x-6c9qghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-11671ghsaADVISORY
- github.com/nilsteampassnet/TeamPass/issues/2765ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.