Roadcube API Password Reset Vulnerability Allowing Arbitrary Code Execution

Vulnerability

A vulnerability in the Roadcube API version 1 allows remote attackers to execute arbitrary code by exploiting a password reset endpoint that inadequately verifies the identity of the requester. The endpoint accepts a mobile phone number as the only input for triggering a password reset, lacking additional verification measures such as one-time codes or user interaction. This flaw enables attackers to reset passwords and gain full control over user accounts.

Impact

Exploitation of this vulnerability could lead to unauthorized account access, allowing attackers to take over user accounts and potentially misuse them.

Added: Aug 21, 2025, 4:26 PM

Updated: Aug 21, 2025, 4:26 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

10.0

exploitability

7.4

remediation

0.0

relevance

0.4

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

10.0

exploitability

7.4

remediation

0.0

relevance

0.4

threat

0.0

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Roadcube API Password Reset Vulnerability Allowing Arbitrary Code Execution

Vulnerability

Impact

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating