Runtipi Password Reset Vulnerability Leading to Unauthenticated Admin Account Takeover

A vulnerability in Runtipi versions prior to 4.8.0 allows an unauthenticated attacker to take over the admin account by resetting the operator password during an active password-reset request. The vulnerability arises because the POST /api/auth/reset-password endpoint lacks authentication and authorization checks. When a password-reset request is active, any remote user can exploit this flaw to change the operator password and gain admin access.

Impact

Exploitation of this vulnerability allows for unauthorized password resets, leading to full admin account takeover. The attacker can log in as the operator, forcibly log out the legitimate user, and disable two-factor authentication.

Reproduction

To reproduce this vulnerability, first ensure that an operator account exists. Then, activate a password-reset request, which opens a 15-minute reset window. After confirming that the reset window is active via an unauthenticated status check, send a POST request to the reset-password endpoint with a new password. This will successfully change the password, allowing login as the admin user.

Remediation

Users should update to Runtipi version 4.8.0 or later, where this vulnerability has been fixed.