Primary

Context

Eladmin Password Reset Vulnerability in User Management Module

Vulnerability

A vulnerability exists in Eladmin versions through 2.7, allowing arbitrary password resets for any user, regardless of permission level. This issue is present in the user management module, specifically within the '/api/users/resetPwd' endpoint.

Impact

Exploitation of this vulnerability allows unauthorized password resets, potentially leading to unauthorized access to user accounts.

Reproduction

To reproduce this vulnerability, send a request to the '/api/users/resetPwd' endpoint with a JSON array containing the IDs of the users whose passwords should be reset. The response will indicate a successful reset, after which the admin account can be accessed using the default password '123456'.

Remediation

It is recommended to update to the latest version of Eladmin, where this vulnerability has been addressed.

Added: Feb 4, 2026, 3:22 PM

Updated: Feb 4, 2026, 4:56 PM

Vulnerability Rating

Custom Algorithm

spread

0.3

impact

5.0

exploitability

5.8

remediation

0.0

relevance

2.6

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.3

impact

5.0

exploitability

5.8

remediation

0.0

relevance

2.6

threat

6.4

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Eladmin Password Reset Vulnerability in User Management Module

Vulnerability

Impact

Reproduction

Remediation

Affected Products

elunez eladmin

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating