CVE-2026-63100
Severity CVSS v4.0:
HIGH
Type:
Unavailable / Other
Publication date:
17/07/2026
Last modified:
17/07/2026
Description
Maybe through 0.6.0 contains a missing authorization vulnerability that allows authenticated low-privilege member-role users to access and modify global hosting settings by exploiting unprotected show and update actions in the Settings::HostingsController, where the before_action ensure_admin filter is applied only to the clear_cache action. Attackers can read the operator's Synth API key rendered in plaintext via a form field value attribute, overwrite it with an attacker-controlled value, toggle public registration settings, and disable email confirmation requirements to disrupt the entire instance.
Impact
Base Score 4.0
7.10
Severity 4.0
HIGH
Base Score 3.x
6.50
Severity 3.x
MEDIUM



