CVE-2020-26061
Description
ClickStudios Passwordstate Password Reset Portal prior to build 8501 is affected by an authentication bypass vulnerability. The ResetPassword function does not validate whether the user has successfully authenticated using security questions. An unauthenticated, remote attacker can send a crafted HTTP request to the /account/ResetPassword page to set a new password for any registered user.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
An authentication bypass in ClickStudios Passwordstate Password Reset Portal before build 8501 allows unauthenticated remote attackers to reset any user's password.
Vulnerability
The ClickStudios Passwordstate Password Reset Portal prior to build 8501 (version 8.5) is affected by an authentication bypass vulnerability [2]. The ResetPassword function does not validate whether the user has successfully authenticated using security questions. This allows an unauthenticated, remote attacker to send a crafted HTTP request to the /account/ResetPassword page to set a new password for any registered user [2].
Exploitation
An attacker needs no prior authentication or network position beyond HTTP access to the Passwordstate instance [2]. The exploitation involves sending a crafted HTTP POST request to the /account/ResetPassword endpoint with parameters specifying the target username and desired new password. The server fails to enforce the security question authentication step, processing the request as valid [2].
Impact
Successful exploitation allows the attacker to change the password of any registered user, leading to unauthorized account access [2]. This can result in exposure of sensitive credentials stored in Passwordstate, privilege escalation if the compromised account has administrative rights, and further compromise of systems managed using those credentials.
Mitigation
The vulnerability was fixed in Passwordstate version 8.5 build 8501, released on October 12, 2018 [2]. Users should update to this build or later. No workaround is documented in the available references [2]. If the software is end-of-life and cannot be updated, consider restricting network access to the Password Reset Portal or disabling it entirely.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- ClickStudios/Passwordstatedescription
- Range: <8501
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The ResetPassword function does not validate whether the user has successfully authenticated using security questions before allowing a password reset."
Attack vector
An unauthenticated, remote attacker sends a crafted HTTP request to the `/account/ResetPassword` page. The ResetPassword function does not validate whether the user has successfully authenticated using security questions [ref_id=1]. This allows the attacker to set a new password for any registered user without prior authentication.
Affected code
The vulnerability resides in the ResetPassword function of the Password Reset Portal. The researcher identifies the affected endpoint as `/account/ResetPage` (likely a typo for `/account/ResetPassword`). No patch diff is available in the bundle.
What the fix does
The advisory states the vulnerability was fixed in version 8.5 Build 8501 (October 12, 2018) [ref_id=1]. No patch diff is included in the bundle, so the exact code change is unknown. The remediation guidance is to update the software on all affected devices to the fixed build.
Preconditions
- authNo authentication required; the attacker can be unauthenticated and remote.
- configThe target must be running Passwordstate Password Reset Portal before build 8501.
- networkAttacker must be able to send HTTP requests to the /account/ResetPassword endpoint.
- inputAttacker must craft a request that bypasses the security-question authentication step.
Reproduction
The researcher provides a proof-of-concept script at https://github.com/missing0x00/CVE-2020-26061/blob/main/CVE-2020-26061.py [ref_id=1]. The script sends a crafted HTTP request to the `/account/ResetPassword` page to set a new password for any registered user without first answering security questions.
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- www.clickstudios.com.au/passwordstate-changelog.aspxmitrex_refsource_MISC
News mentions
0No linked articles in our index yet.