CVE-2026-47181
Description
NoSQL injection in PenguinMod-BackendApi password reset endpoint allows authenticated users to change any account's password, leading to full account takeover.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
NoSQL injection in PenguinMod-BackendApi password reset endpoint allows authenticated users to change any account's password, leading to full account takeover.
Vulnerability
The password reset endpoint in PenguinMod-BackendApi prior to version 1.0.0 is vulnerable to NoSQL injection. The req.body.email parameter is passed directly to MongoDB queries in getUsernameByEmail and verifyPasswordResetState without type coercion. This allows an attacker to inject MongoDB operators (e.g., $regex) to manipulate the query logic [1].
Exploitation
An attacker only needs a registered account and a valid password reset token for their own account. They send a POST request to /api/v1/users/resetpassword/reset with a JSON body containing their state token, a crafted email field (e.g., {"$regex": ".*"}), and a new password. The server verifies the attacker's reset state using the injected email query, consumes the valid token, then returns the first matching user from the users collection, changing that account's password to the attacker-controlled value [1].
Impact
A successful attack results in full account takeover of an arbitrary user (the first matching the injected query or a targeted email). The attacker gains the same privileges as the victim, which could include admin access if the target is an administrator. The original user is locked out of their account [1].
Mitigation
The issue has been patched in version 1.0.0 of PenguinMod-BackendApi. Users should upgrade to this version immediately. No workaround is available for earlier versions [1].
AI Insight generated on Jun 11, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2<1.0.0+ 1 more
- (no CPE)range: <1.0.0
- (no CPE)range: <1.0.0
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing type validation on the `email` field allows NoSQL operator injection in MongoDB queries, and no cross-check ensures the returned email matches the consumed reset token."
Attack vector
An attacker registers an account, requests a password reset, and obtains a valid state token from the reset email. They then POST to the reset endpoint with their own state token but inject a MongoDB operator (e.g., `{"$regex": ".*"}`) in the `email` field. The server consumes the attacker's valid reset document and then runs the injected query against the `users` collection, returning an arbitrary account whose password is changed [ref_id=1]. No authentication beyond a registered account and one reset token is required.
Affected code
The vulnerability resides in `api/v1/routes/users/login/resetpassword/reset.js` and `api/v1/db/UserManager.js`, specifically the functions `getUsernameByEmail` and `verifyPasswordResetState`. The `email` field from `req.body` is passed directly to MongoDB queries without type coercion or validation [ref_id=1].
What the fix does
The patch is not shown in the bundle, but the advisory states the issue is fixed in version 1.0.0. The fix must coerce `req.body.email` to a string before passing it to MongoDB queries, preventing operator injection, and must verify that the email returned by `getUsernameByEmail` matches the email stored in the consumed reset state [ref_id=1].
Preconditions
- authAttacker must have a registered account on the PenguinMod platform
- inputAttacker must obtain a valid password reset state token for their own account (e.g., via email)
- networkThe reset endpoint must accept JSON POST bodies with an `email` field
Generated on Jun 11, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.