Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Vulnerability Details :

CVE-2026-34072

Summary
Assigner-GitHub_M
Assigner Org ID-a0819718-46f1-4df5-94e2-005712e83aaa
Published At-01 Apr, 2026 | 16:51
Updated At-01 Apr, 2026 | 17:45
Rejected At-
Credits

cronmaster: Middleware authentication bypass enabling unauthorized page access and server-action execution

Cr*nMaster (cronmaster) is a Cronjob management UI with human readable syntax, live logging and log history for cronjobs. Prior to version 2.2.0, an authentication bypass in middleware allows unauthenticated requests with an invalid session cookie to be treated as authenticated when the middleware’s session-validation fetch fails. This can result in unauthorized access to protected pages and unauthorized execution of privileged Next.js Server Actions. This issue has been patched in version 2.2.0.

Vendors
-
Not available
Products
-
Metrics (CVSS)
VersionBase scoreBase severityVector
Weaknesses
Attack Patterns
Solution/Workaround
References
HyperlinkResource Type
EPSS History
Score
Latest Score
-
N/A
No data available for selected date range
Percentile
Latest Percentile
-
N/A
No data available for selected date range
Stakeholder-Specific Vulnerability Categorization (SSVC)
▼Common Vulnerabilities and Exposures (CVE)
cve.org
Assigner:GitHub_M
Assigner Org ID:a0819718-46f1-4df5-94e2-005712e83aaa
Published At:01 Apr, 2026 | 16:51
Updated At:01 Apr, 2026 | 17:45
Rejected At:
▼CVE Numbering Authority (CNA)
cronmaster: Middleware authentication bypass enabling unauthorized page access and server-action execution

Cr*nMaster (cronmaster) is a Cronjob management UI with human readable syntax, live logging and log history for cronjobs. Prior to version 2.2.0, an authentication bypass in middleware allows unauthenticated requests with an invalid session cookie to be treated as authenticated when the middleware’s session-validation fetch fails. This can result in unauthorized access to protected pages and unauthorized execution of privileged Next.js Server Actions. This issue has been patched in version 2.2.0.

Affected Products
Vendor
fccview
Product
cronmaster
Versions
Affected
  • < 2.2.0
Problem Types
TypeCWE IDDescription
CWECWE-287CWE-287: Improper Authentication
CWECWE-306CWE-306: Missing Authentication for Critical Function
CWECWE-693CWE-693: Protection Mechanism Failure
Type: CWE
CWE ID: CWE-287
Description: CWE-287: Improper Authentication
Type: CWE
CWE ID: CWE-306
Description: CWE-306: Missing Authentication for Critical Function
Type: CWE
CWE ID: CWE-693
Description: CWE-693: Protection Mechanism Failure
Metrics
VersionBase scoreBase severityVector
3.18.3HIGH
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
Version: 3.1
Base score: 8.3
Base severity: HIGH
Vector:
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
https://github.com/fccview/cronmaster/security/advisories/GHSA-9whh-mffv-xvh6
x_refsource_CONFIRM
https://github.com/fccview/cronmaster/releases/tag/2.2.0
x_refsource_MISC
Hyperlink: https://github.com/fccview/cronmaster/security/advisories/GHSA-9whh-mffv-xvh6
Resource:
x_refsource_CONFIRM
Hyperlink: https://github.com/fccview/cronmaster/releases/tag/2.2.0
Resource:
x_refsource_MISC
▼Authorized Data Publishers (ADP)
CISA ADP Vulnrichment
Affected Products
Metrics
VersionBase scoreBase severityVector
Metrics Other Info
Impacts
CAPEC IDDescription
Solutions
Configurations
Workarounds
Exploits
Credits
Timeline
EventDate
Replaced By
Rejected Reason
References
HyperlinkResource
Information is not available yet
▼National Vulnerability Database (NVD)
nvd.nist.gov
Source:security-advisories@github.com
Published At:01 Apr, 2026 | 18:16
Updated At:03 Apr, 2026 | 16:10

Cr*nMaster (cronmaster) is a Cronjob management UI with human readable syntax, live logging and log history for cronjobs. Prior to version 2.2.0, an authentication bypass in middleware allows unauthenticated requests with an invalid session cookie to be treated as authenticated when the middleware’s session-validation fetch fails. This can result in unauthorized access to protected pages and unauthorized execution of privileged Next.js Server Actions. This issue has been patched in version 2.2.0.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.18.3HIGH
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
Type: Secondary
Version: 3.1
Base score: 8.3
Base severity: HIGH
Vector:
CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L
CPE Matches
Weaknesses
CWE IDTypeSource
CWE-287Primarysecurity-advisories@github.com
CWE-306Primarysecurity-advisories@github.com
CWE-693Primarysecurity-advisories@github.com
CWE ID: CWE-287
Type: Primary
Source: security-advisories@github.com
CWE ID: CWE-306
Type: Primary
Source: security-advisories@github.com
CWE ID: CWE-693
Type: Primary
Source: security-advisories@github.com
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://github.com/fccview/cronmaster/releases/tag/2.2.0security-advisories@github.com
N/A
https://github.com/fccview/cronmaster/security/advisories/GHSA-9whh-mffv-xvh6security-advisories@github.com
N/A
Hyperlink: https://github.com/fccview/cronmaster/releases/tag/2.2.0
Source: security-advisories@github.com
Resource: N/A
Hyperlink: https://github.com/fccview/cronmaster/security/advisories/GHSA-9whh-mffv-xvh6
Source: security-advisories@github.com
Resource: N/A

Change History

0
Information is not available yet

Similar CVEs

4Records found
CVE-2023-42771
Matching Score-4
Assigner-JPCERT/CC
ShareView Details
Matching Score-4
Assigner-JPCERT/CC
CVSS Score-8.3||HIGH
EPSS-0.03% / 8.07%
||
7 Day CHG~0.00%
Published-03 Oct, 2023 | 00:17
Updated-20 Sep, 2024 | 14:35
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Authentication bypass vulnerability in ACERA 1320 firmware ver.01.26 and earlier, and ACERA 1310 firmware ver.01.26 and earlier allows a network-adjacent unauthenticated attacker who can access the affected product to download configuration files and/or log files, and upload configuration files and/or firmware. They are affected when running in ST(Standalone) mode.

Action-Not Available
Vendor-furunosystemsFURUNO SYSTEMS Co.,Ltd.furunosystems
Product-acera_1320acera_1320_firmwareacera_1310acera_1310_firmwareACERA 1310ACERA 1320acera_1320_firmwareacera_1310_firmware
CWE ID-CWE-288
Authentication Bypass Using an Alternate Path or Channel
CWE ID-CWE-287
Improper Authentication
CVE-2025-22477
Matching Score-4
Assigner-Dell
ShareView Details
Matching Score-4
Assigner-Dell
CVSS Score-8.3||HIGH
EPSS-0.11% / 29.56%
||
7 Day CHG~0.00%
Published-06 May, 2025 | 16:03
Updated-26 Feb, 2026 | 18:28
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available

Dell Storage Center - Dell Storage Manager, version(s) 20.1.20, contain(s) an Improper Authentication vulnerability. An unauthenticated attacker with adjacent network access could potentially exploit this vulnerability, leading to Elevation of privileges.

Action-Not Available
Vendor-Dell Inc.
Product-storage_managerDell Storage Center - Dell Storage Manager
CWE ID-CWE-287
Improper Authentication
CVE-2022-45877
Matching Score-4
Assigner-OpenHarmony
ShareView Details
Matching Score-4
Assigner-OpenHarmony
CVSS Score-8.3||HIGH
EPSS-0.03% / 9.76%
||
7 Day CHG~0.00%
Published-08 Dec, 2022 | 00:00
Updated-03 Aug, 2024 | 14:24
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
PIN code is transmitted to the peer device in plain text during cross-device authentication, which reduces the difficulty of man-in-the-middle attacks.

OpenHarmony-v3.1.4 and prior versions had an vulnerability. PIN code is transmitted to the peer device in plain text during cross-device authentication, which reduces the difficulty of man-in-the-middle attacks.

Action-Not Available
Vendor-OpenHarmony (OpenAtom Foundation)
Product-openharmonyOpenHarmonyopenharmony
CWE ID-CWE-287
Improper Authentication
CWE ID-CWE-319
Cleartext Transmission of Sensitive Information
CVE-2022-37397
Matching Score-4
Assigner-Yugabyte, Inc.
ShareView Details
Matching Score-4
Assigner-Yugabyte, Inc.
CVSS Score-8.3||HIGH
EPSS-0.49% / 65.94%
||
7 Day CHG~0.00%
Published-12 Aug, 2022 | 18:01
Updated-03 Aug, 2024 | 10:29
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
The software is vulnerable when using LDAP-based authentication in YCQL with Microsoft’s Active Directory

An issue was discovered in the YugabyteDB 2.6.1 when using LDAP-based authentication in YCQL with Microsoft’s Active Directory. When anonymous or unauthenticated LDAP binding is enabled, it allows bypass of authentication with an empty password.

Action-Not Available
Vendor-yugabyteYugaByte, Inc.
Product-yugabytedbYugabyte DB
CWE ID-CWE-287
Improper Authentication
CWE ID-CWE-16
Not Available
Details not found