Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-32602

CVE-2026-32602: Homarr Race Condition Vulnerability

CVE-2026-32602 is a race condition flaw in Homarr's user registration endpoint that allows attackers to create multiple accounts using single-use invite tokens. This article covers technical details, affected versions, and fixes.

Published:

CVE-2026-32602 Overview

CVE-2026-32602 is a race condition vulnerability in Homarr, an open-source dashboard application. Prior to version 1.57.0, the user registration endpoint (/api/trpc/user.register) is vulnerable to a Time-of-Check Time-of-Use (TOCTOU) race condition that allows an attacker to create multiple user accounts from a single-use invite token.

Critical Impact

Attackers can exploit this race condition to bypass invite token restrictions, creating unauthorized user accounts and potentially gaining elevated access to the dashboard.

Affected Products

  • Homarr versions prior to 1.57.0
  • Homarr instances using invite token registration flow

Discovery Timeline

  • 2026-04-06 - CVE CVE-2026-32602 published to NVD
  • 2026-04-07 - Last updated in NVD database

Technical Details for CVE-2026-32602

Vulnerability Analysis

The vulnerability exists in the user registration flow which performs three sequential database operations without proper transactional atomicity. The registration process follows this sequence: CHECK (validate invite token), CREATE (create user account), and DELETE (remove the used invite token). Because these operations are not wrapped in a database transaction, concurrent requests can exploit the timing window between validation and deletion.

When multiple registration requests are sent simultaneously with the same invite token, all requests can pass the validation step before any of them reaches the token deletion step. This race condition allows the creation of multiple user accounts using a single invite token that was designed for one-time use only.

This vulnerability is classified under CWE-367 (Time-of-Check Time-of-Use Race Condition), which describes scenarios where a resource's state changes between the time it is checked and the time it is used.

Root Cause

The root cause is the lack of atomic database operations in the user registration flow. The three database operations (CHECK, CREATE, DELETE) are executed sequentially without being wrapped in a database transaction. This non-atomic design allows concurrent requests to interleave their execution, bypassing the intended single-use constraint of invite tokens.

Attack Vector

The attack exploits the network-accessible registration endpoint. An attacker with access to a valid single-use invite token can send multiple concurrent HTTP requests to the /api/trpc/user.register endpoint. By timing these requests to arrive simultaneously, the attacker can create multiple user accounts before the invite token is invalidated.

The attack requires low privileges (possession of a valid invite token) and can be executed over the network. The exploitation window exists during the brief period between token validation and token deletion, making it a classic TOCTOU race condition scenario.

Detection Methods for CVE-2026-32602

Indicators of Compromise

  • Multiple user accounts created with timestamps within milliseconds of each other
  • Unusual patterns of concurrent registration requests in web server logs
  • Multiple successful registrations from the same IP address in rapid succession
  • Audit logs showing multiple accounts associated with the same invite token identifier

Detection Strategies

  • Monitor authentication logs for unusual registration patterns with multiple accounts created in sub-second timeframes
  • Implement rate limiting detection to identify burst registration attempts to the /api/trpc/user.register endpoint
  • Review database audit logs for user creation events that coincide with invite token usage anomalies
  • Deploy web application firewall (WAF) rules to detect and alert on concurrent registration attempts

Monitoring Recommendations

  • Enable detailed logging for the user registration endpoint including request timestamps and source IPs
  • Set up alerts for multiple user registrations originating from the same IP within a short time window
  • Monitor for unexpected increases in user account creation rates
  • Implement database-level auditing to track invite token lifecycle events

How to Mitigate CVE-2026-32602

Immediate Actions Required

  • Upgrade Homarr to version 1.57.0 or later immediately
  • Review existing user accounts for potential unauthorized registrations
  • Audit invite token usage logs to identify any exploitation attempts
  • Consider temporarily disabling invite-based registration until the patch is applied

Patch Information

The vulnerability is fixed in Homarr version 1.57.0. Organizations should update their Homarr installations to this version or later. The fix implements proper atomic database transactions around the registration flow, ensuring that the CHECK, CREATE, and DELETE operations execute atomically.

For more details, refer to the GitHub Security Advisory.

Workarounds

  • Disable invite-based user registration until the patch can be applied
  • Implement network-level rate limiting on the /api/trpc/user.register endpoint to reduce exploitation success
  • Use a reverse proxy to throttle concurrent requests to registration endpoints
  • Monitor and manually review all new user registrations during the vulnerable period
bash
# Example: Rate limiting configuration for nginx reverse proxy
# Limit registration endpoint to 1 request per second per IP
limit_req_zone $binary_remote_addr zone=register:10m rate=1r/s;

location /api/trpc/user.register {
    limit_req zone=register burst=1 nodelay;
    proxy_pass http://homarr_backend;
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.