Primary

Context

Tuist Password Reset Flooding Vulnerability Allowing Unauthenticated Email Abuse

Vulnerability

A vulnerability in Tuist prior to version 1.180.10 allows unauthenticated attackers to repeatedly trigger password reset emails for a known account, exploiting the forgot password flow. This issue arises from a lack of server-side throttling, enabling the abuse of email delivery resources. In self-hosted deployments, this could lead to the consumption of downstream email delivery resources by sending large volumes of unwanted emails.

Impact

Exploitation of this vulnerability could result in the unauthorized flooding of a user's inbox with password reset emails, potentially causing disruption or annoyance. In self-hosted environments, this could also lead to the misuse of email delivery resources, causing additional strain on email infrastructure.

Remediation

Users can upgrade to Tuist version 1.180.10 or later to address this vulnerability.

Added: May 14, 2026, 9:59 PM

Updated: May 14, 2026, 9:59 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

7.4

remediation

0.0

relevance

8.3

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

7.4

remediation

0.0

relevance

8.3

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Tuist Password Reset Flooding Vulnerability Allowing Unauthenticated Email Abuse

Vulnerability

Impact

Remediation

Affected Products

Tuist

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating