Medium severity6.5NVD Advisory· Published Apr 13, 2026· Updated Apr 17, 2026

CVE-2026-40043

Description

Pachno 1.0.6 contains an authentication bypass vulnerability in the runSwitchUser() action that allows authenticated low-privilege users to escalate privileges by manipulating the original_username cookie. Attackers can set the client-controlled original_username cookie to any value and request a switch to user ID 1 to obtain session tokens or password hashes belonging to administrator accounts.

Affected products

Pachno/Pachnoinferred
Range: <=1.0.6

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.vulncheck.com/advisories/pachno-authentication-bypass-via-runswitchusernvd
www.zeroscience.mknvd
www.zeroscience.mk/en/vulnerabilities/ZSL-2026-5985.phpnvd

News mentions

No linked articles in our index yet.

cvss	0.423
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000