CVE-2026-34408

Vulnerability

Overview

CVE-2026-34408 is a critical vulnerability in Gambio 4.9.2.0 (and earlier versions up to 4.9.2.0) that allows an attacker to bypass the password reset mechanism and set a new password for any user account, provided the user's ID is known. The root cause lies in the PasswordDoubleOptContentControl.inc.php file, where the check for a valid password reset token can be circumvented by submitting a space character (%20) as the key parameter [2]. This flaw is classified under CWE-640 (Weak Password Recovery Mechanism for Forgotten Password) [2).

Exploitation

The attack is performed by sending a POST request to password_double_opt.php?action=save_password with the target customers_id (e.g., 1 for the default admin) and a space character as the key parameter. The vulnerable code checks if the database query returns a result or if the key is an empty string; however, a space character is not empty, so the check passes, and the new password provided in the request is accepted without requiring the legitimate reset token [2]. No authentication is needed, and the only prerequisite is knowledge of the target user's ID, which is often predictable (e.g., admin ID 1).

Impact

Successful exploitation results in immediate account takeover. An attacker can change the password of any user, including administrative accounts, gaining full control over the affected Gambio online shop. This can lead to data theft, manipulation of store content, customer data exposure, and further compromise of the underlying server. The vendor has rated this vulnerability as critical with a CVSS v3 score of 9.1 [1].

Mitigation

The vendor released a security update (2024-02 v1.0.0) for GX4 versions 4.0.0.0 through 4.9.2.0, which patches this vulnerability [1]. Gambio Cloud customers were automatically protected. Users of self-hosted installations are strongly advised to apply the update immediately. No active exploitation in the wild has been reported as of the advisory date [1].