Homarr Race Condition Vulnerability in User Registration Endpoint Allowing Multiple Account Creations from Single-Use Invite Token

A race condition vulnerability has been identified in the user registration endpoint of Homarr, an open-source dashboard, in versions through 1.56.1. The issue allows an attacker to create multiple user accounts using a single-use invite token. This vulnerability arises because the registration process involves three sequential database operations—check, create, and delete—without a transaction. As a result, concurrent requests can all pass the validation step before any reach the deletion step, enabling the registration of multiple accounts from one invite token.

Impact

Exploitation of this vulnerability bypasses access control, allowing multiple unauthorized accounts to be created from a single invite token. All accounts are fully functional, providing valid credentials for application access. This vulnerability could be exploited at scale, as an attacker could create numerous accounts using a single invite link, and the accounts would persist even if one is detected and removed.

Reproduction

To reproduce this vulnerability, first, create a single-use invite token as an admin. Then, use the invite token to send concurrent registration requests, taking advantage of the lack of transaction in the registration process. This can be done using a Python script that automates the sending of registration requests while synchronizing them to all be sent at the same time.

Remediation

The vulnerability has been fixed in Homarr version 1.57.0. Users should update to this version.