VYPR
← All advisories
Medium severity6.5NVD Advisory· Published May 8, 2026· Updated May 14, 2026

CVE-2026-41308

CVE-2026-41308

Description

Password Pusher is an open source application to communicate sensitive information over the web. Prior to versions 1.69.3 and 2.4.2, a security issue in OSS PasswordPusher allowed unauthenticated creation of file-type pushes through a generic JSON API create path under certain configurations. This could bypass the intended authentication boundary for file push creation. This issue has been patched in versions 1.69.3 and 2.4.2.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

CVE-2026-41308: Unauthenticated file push creation in Password Pusher due to inconsistent authentication checks in the JSON API.

Vulnerability

Analysis

Password Pusher versions prior to 1.69.3 and 2.4.2 contain an authentication bypass vulnerability affecting file-type push creation. The root cause lies in inconsistent enforcement of authentication checks when the application is configured to allow anonymous access (allow_anonymous: true). The code previously only checked Settings.allow_anonymous to decide whether to authenticate, but did not separately enforce authentication for file pushes created via the JSON API. This meant an API endpoint that accepted a :files parameter or a kind: "file" parameter could create a file push without requiring the user to be logged in, even though such operations should be restricted to authenticated users [1][2].

Exploitation

An unauthenticated attacker can exploit this by sending a crafted POST request to the generic JSON API create path (e.g., /p.json or the v2 API endpoint) that includes either a files key or sets kind: "file". No prior authentication or session is needed. However, exploitation depends on the application configuration: file push functionality must be enabled, and anonymous creation must not be fully disabled (i.e., allow_anonymous must be true). If allow_anonymous is set to false, the vulnerability does not apply because all create actions already require authentication [1][2].

Impact

The primary impact is unauthorized creation of file-type pushes, leading to potential resource exhaustion (storage and bandwidth) from an unauthenticated actor. The advisory notes no direct data confidentiality impact from this issue alone, but the ability to store arbitrary data without authentication could be leveraged in combination with other weaknesses or for denial-of-service [2].

Mitigation

Both affected series have been patched: OSS v1 users should upgrade to v1.69.4 (or v1.69.3 if v1.69.4 is not available), and v2 users should upgrade to v2.4.2. The fix ensures authentication is consistently enforced for any create request that indicates file intent, across all supported API paths [1][3]. If immediate upgrade is not possible, administrators can mitigate the risk by disabling anonymous creation (allow_anonymous: false), disabling file push functionality entirely, or blocking untrusted API traffic at a reverse proxy or WAF [2].

References
  1. Security: Fix file upload authentication enforcement (#4381) · pglombardo/PasswordPusher@45dc251
  2. Authentication Bypass in JSON API File Push Creation
  3. Security: Fix file upload authentication enforcement by pglombardo · Pull Request #4381 · pglombardo/PasswordPusher

AI Insight generated on May 18, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

0

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

3

News mentions

0

No linked articles in our index yet.