Missing Authorization with Default Settings in Dashboard UI
Description
Hangfire Dashboard UI in version 1.7.25 removed default authorization filters, allowing remote access to sensitive job data; fixed in 1.7.26.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Hangfire Dashboard UI in version 1.7.25 removed default authorization filters, allowing remote access to sensitive job data; fixed in 1.7.26.
Vulnerability
In Hangfire.Core version 1.7.25, the default authorization filter LocalRequestsOnlyAuthorizationFilter was inadvertently omitted from the DashboardOptions.Authorization property when using the UseHangfireDashboard method without specifying custom filters [1][2][4]. This regression allowed remote HTTP requests to access the Dashboard UI, which previously required local requests only. Versions prior to 1.7.25 and patched versions 1.7.26+ are not affected.
Exploitation
An attacker with network access to the Hangfire Dashboard endpoint can exploit this vulnerability by sending a simple HTTP request to the Dashboard URL (e.g., /hangfire) without any authentication or authorization [4]. No user interaction or special privileges are required; the default configuration is sufficient for exploitation.
Impact
Successful exploitation grants the attacker read access to the Hangfire Dashboard, exposing sensitive background job data such as job parameters, method names, arguments, and execution history [2][4]. This constitutes an information disclosure vulnerability, potentially revealing application internals or sensitive data processed by background jobs. No remote code execution or privilege escalation is reported.
Mitigation
The issue is fixed in Hangfire.Core version 1.7.26, available on NuGet.org and GitHub [1][4]. Users should upgrade to this version or later. For those unable to upgrade, a workaround is to explicitly configure the LocalRequestsOnlyAuthorizationFilter in the DashboardOptions.Authorization property when calling UseHangfireDashboard [4].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
Hangfire.CoreNuGet | >= 1.7.25, < 1.7.26 | 1.7.26 |
Affected products
2- Range: = 1.7.25
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-7rq6-7gv8-c37hghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-41238ghsaADVISORY
- github.com/HangfireIO/Hangfire/issues/1958ghsax_refsource_MISCWEB
- github.com/HangfireIO/Hangfire/security/advisories/GHSA-7rq6-7gv8-c37hghsax_refsource_CONFIRMWEB
- www.nuget.org/packages/Hangfire.CoreghsaWEB
News mentions
0No linked articles in our index yet.