Known affected by Account Takeover via Password Reset Token Leakage
Description
Known is a social publishing platform. Prior to 1.6.3, a Critical Broken Authentication vulnerability exists in Known 1.6.2 and earlier. The application leaks the password reset token within a hidden HTML input field on the password reset page. This allows any unauthenticated attacker to retrieve the reset token for any user by simply querying the user's email, leading to full Account Takeover (ATO) without requiring access to the victim's email inbox. This vulnerability is fixed in 1.6.3.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Known social publishing platform before 1.6.3 leaks password reset tokens in a hidden HTML field, allowing unauthenticated attackers to fully compromise any account.
Vulnerability
Description
CVE-2026-26273 is a critical broken authentication vulnerability in Known (the idno social publishing platform) versions prior to 1.6.3. When a user requests a password reset, the application generates a verification token but incorrectly reflects that token in a hidden HTML input field on the subsequent password reset page (/account/password/reset/). The token is embedded in the page's source code, making it visible to anyone who can request that page [1][2][4]. A commit fixing the issue on 2025-03-12 shows the vulnerable code path: the old logic passed the token directly to the template without any server-side validation that the requesting client was the legitimate email recipient [3].
Exploitation
An unauthenticated attacker can exploit this vulnerability without any prior access to the victim's email inbox. The attack requires two steps: first, the attacker triggers a password reset for a known email address (e.g., by submitting the password reset form). Then, they make a GET request to the reset page with the victim's email as a parameter. The server responds with the password reset page containing the victim's reset token in a hidden field. Since no authentication or proof of email ownership is required to retrieve this page, the attacker can programmatically extract the token (e.g., via curl) [3][4]. The advisory provides a simple proof-of-concept demonstrating token extraction from the hidden `` field [4].
Impact
With the obtained token, the attacker can complete the password reset process and set a new password for the victim's account. This results in full account takeover (ATO), compromising the confidentiality, integrity, and availability of the account. Any user account on the platform, including administrative accounts, is vulnerable. An attacker could then post content, modify settings, access private data, or disrupt service for the legitimate owner [4]. The vulnerability is rated as critical due to the low complexity and potentially devastating impact.
Mitigation
The vulnerability is fixed in Known version 1.6.3, released as a security update on February 13, 2026 [1][2]. The fix, visible in commit 8439a07, adds server-side validation: the reset page now checks that a valid code and email are both provided, and uses hash_equals() to compare the submitted token against the stored recovery code before rendering the form. This prevents token leakage because the page is only served after successful token verification [3]. Users should upgrade to 1.6.3 or later immediately. No workarounds are documented, and given the severity, applying the patch is strongly recommended. This vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities catalog as of the publication date.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
idno/knownPackagist | < 1.6.3 | 1.6.3 |
Affected products
2- idno/knownv5Range: < 1.6.3
Patches
18439a0747471Fix password reset security vulnerabilities (#3316)
2 files changed · +29 −21
Idno/Pages/Account/Password.php+3 −4 modified@@ -55,13 +55,12 @@ function postContent() $email->setTextBodyFromTemplate('account/password', array('email' => $email_address, 'code' => $auth_code)); $email->send(); - $this->forward(\Idno\Core\Idno::site()->config()->getURL() . 'account/password/?sent=true'); - } } - \Idno\Core\Idno::site()->session()->addErrorMessage(\Idno\Core\Idno::site()->language()->_("Oh no! We couldn't find an account associated with that email address.")); - $this->forward(\Idno\Core\Idno::site()->config()->getURL() . 'account/password'); + + // Always show the same response to prevent user enumeration + $this->forward(\Idno\Core\Idno::site()->config()->getURL() . 'account/password/?sent=true'); }
Idno/Pages/Account/Password/Reset.php+26 −17 modified@@ -19,16 +19,19 @@ function getContent() $code = $this->getInput('code'); $email = $this->getInput('email'); - if ($user = \Idno\Entities\User::getByEmail($email)) { - if ($code = $user->getPasswordRecoveryCode()) { + if (!empty($code) && !empty($email)) { + if ($user = \Idno\Entities\User::getByEmail($email)) { + $storedCode = $user->getPasswordRecoveryCode(); + if ($storedCode && hash_equals($storedCode, $code)) { - $t = \Idno\Core\Idno::site()->template(); - $t->body = $t->__(array('email' => $email, 'code' => $code))->draw('account/password/reset'); - $t->title = \Idno\Core\Idno::site()->language()->_('Reset password'); + $t = \Idno\Core\Idno::site()->template(); + $t->body = $t->__(array('email' => $email, 'code' => $code))->draw('account/password/reset'); + $t->title = \Idno\Core\Idno::site()->language()->_('Reset password'); - $t->drawPage(); - exit; + $t->drawPage(); + exit; + } } } @@ -47,18 +50,24 @@ function postContent() $password2 = trim($this->getInput('password2')); if (\Idno\Entities\User::checkNewPasswordStrength($password) && $password == $password2) { - if ($user = \Idno\Entities\User::getByEmail($email)) { - - if ($code = $user->getPasswordRecoveryCode()) { - - /* @var \Idno\Entities\User $user */ - $user->setPassword($password); - $user->clearPasswordRecoveryCode(); - $user->save(true); - \Idno\Core\Idno::site()->session()->addMessage(\Idno\Core\Idno::site()->language()->_("Your password was reset!")); - + if (!empty($code) && !empty($email)) { + if ($user = \Idno\Entities\User::getByEmail($email)) { + $storedCode = $user->getPasswordRecoveryCode(); + if ($storedCode && hash_equals($storedCode, $code)) { + + /* @var \Idno\Entities\User $user */ + $user->setPassword($password); + $user->clearPasswordRecoveryCode(); + $user->save(true); + \Idno\Core\Idno::site()->session()->addMessage(\Idno\Core\Idno::site()->language()->_("Your password was reset!")); + $this->forward(\Idno\Core\Idno::site()->config()->getURL()); + return; + + } } } + \Idno\Core\Idno::site()->session()->addErrorMessage(\Idno\Core\Idno::site()->language()->_("The password reset code wasn't valid. They expire after three hours, so you might need to try again.")); + $this->forward(\Idno\Core\Idno::site()->config()->getURL() . 'account/password'); } else { \Idno\Core\Idno::site()->session()->addErrorMessage(\Idno\Core\Idno::site()->language()->_('Sorry, your passwords either don\'t match, or are too weak')); $this->forward($_SERVER['HTTP_REFERER']);
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-78wq-6gcv-w28rghsaADVISORY
- github.com/idno/known/commit/8439a0747471559fb1ea9f074b929d390f27e66aghsax_refsource_MISCWEB
- github.com/idno/known/releases/tag/1.6.3ghsax_refsource_MISCWEB
- github.com/idno/known/security/advisories/GHSA-78wq-6gcv-w28rghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.