VYPR
← All advisories
Medium severity5.4NVD Advisory· Published Apr 7, 2026· Updated Apr 15, 2026

CVE-2026-39401

CVE-2026-39401

Description

Cronicle is a multi-server task scheduler and runner, with a web based front-end UI. Prior to 0.9.111, jb child processes can include an update_event key in their JSON output. The server applies this directly to the parent event's stored configuration without any authorization check. A low-privilege user who can create and run events can modify any event property, including webhook URLs and notification emails. This vulnerability is fixed in 0.9.111.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Cronicle <0.9.111 allows low-privilege users to modify event configs via update_event job output, enabling privilege escalation.

Vulnerability

Cronicle prior to 0.9.111 accepts an update_event key in JSON output from job child processes. The server applies this key directly to the parent event's stored configuration without any authorization check [1]. This flaw exists in the job output parser and the update logic in lib/job.js [1].

Exploitation

A low-privilege user with create_events and run_events privileges can craft a shell script event that outputs JSON containing an update_event object. For example, the output can set a new webhook URL or notification email. When the job runs, the server updates the event configuration with the attacker-controlled values [1].

Impact

Successful exploitation allows an attacker to redirect webhook notifications to an attacker-controlled server, exfiltrating sensitive job data such as script contents, environment variables, and internal network information. Additionally, the attacker can change notification email addresses to intercept alerts [1].

Mitigation

The vulnerability is fixed in Cronicle version 0.9.111. The fix removes update_event from the allowed keys in the job output parser or adds proper authorization checks before applying updates [1].

References
  1. Privilege Escalation via update_event Job Output in Cronicle

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Cronicle/Cronicle2 versions
    cpe:2.3:a:cronicle:cronicle:*:*:*:*:*:*:*:*+ 1 more
    • cpe:2.3:a:cronicle:cronicle:*:*:*:*:*:*:*:*range: <0.9.111
    • (no CPE)range: <0.9.111

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

1

News mentions

0

No linked articles in our index yet.