Predictable password reset token may lead to account takeover in countly-server
Description
countly-server is the server-side part of Countly, a product analytics solution. Prior to versions 22.03.7 and 21.11.4, a malicious actor who knows an account email address/username and full name specified in the database is capable of guessing the password reset token. The actor may use this information to reset the password and take over the account. The problem has been patched in Countly Server version 22.03.7 for servers using the new user interface and in 21.11.4 for servers using the old user interface.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Countly server used a predictable password reset token derived from a user's username and full name, enabling attackers to take over accounts.
Vulnerability
In Countly server, prior to versions 22.03.7 (new UI) and 21.11.4 (old UI), the password reset token generation is predictable. The token was derived using a SHA-512 hash of the concatenated username and full_name fields stored in the database, along with a timestamp [1]. An attacker who knows an account's email address/username and full name can compute the same token and use it to reset the victim's password without any further authentication [2].
Exploitation
An attacker must first obtain the victim's email address (or username) and full name as stored in Countly's database. With these details, the attacker can compute the SHA-512 hash of username + full_name using any known timestamp (or brute-force a small window of timestamps) to generate the password reset token. The token is used in the password reset endpoint to set a new password and gain access to the victim's account [1][2].
Impact
Successful exploitation leads to a complete account takeover. The attacker can log in as the victim, access any analytics data, and perform any actions the victim is authorized to do, resulting in full compromise of the victim's Countly account [2].
Mitigation
The vulnerability is patched in Countly Server version 22.03.7 for servers using the new user interface, and version 21.11.4 for servers using the old user interface [2]. The fix replaces the predictable derivation with a cryptographically secure random token (crypto.randomBytes(32).toString('hex')) [1]. No workarounds other than upgrading to the patched versions are provided.
AI Insight generated on May 25, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2<21.11.4 or <22.03.7+ 1 more
- (no CPE)range: <21.11.4 or <22.03.7
- (no CPE)range: < 21.11.4
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2- github.com/Countly/countly-server/commit/2bfa1ee1fa46e9bb007cf8687ad197ab9c604999mitrex_refsource_MISC
- github.com/Countly/countly-server/security/advisories/GHSA-98vh-wqw5-p23vmitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.