CVE-2026-32602 Overview
CVE-2026-32602 is a race condition vulnerability in Homarr, an open-source dashboard application. Prior to version 1.57.0, the user registration endpoint (/api/trpc/user.register) is vulnerable to a Time-of-Check Time-of-Use (TOCTOU) race condition that allows an attacker to create multiple user accounts from a single-use invite token.
Critical Impact
Attackers can exploit this race condition to bypass invite token restrictions, creating unauthorized user accounts and potentially gaining elevated access to the dashboard.
Affected Products
- Homarr versions prior to 1.57.0
- Homarr instances using invite token registration flow
Discovery Timeline
- 2026-04-06 - CVE CVE-2026-32602 published to NVD
- 2026-04-07 - Last updated in NVD database
Technical Details for CVE-2026-32602
Vulnerability Analysis
The vulnerability exists in the user registration flow which performs three sequential database operations without proper transactional atomicity. The registration process follows this sequence: CHECK (validate invite token), CREATE (create user account), and DELETE (remove the used invite token). Because these operations are not wrapped in a database transaction, concurrent requests can exploit the timing window between validation and deletion.
When multiple registration requests are sent simultaneously with the same invite token, all requests can pass the validation step before any of them reaches the token deletion step. This race condition allows the creation of multiple user accounts using a single invite token that was designed for one-time use only.
This vulnerability is classified under CWE-367 (Time-of-Check Time-of-Use Race Condition), which describes scenarios where a resource's state changes between the time it is checked and the time it is used.
Root Cause
The root cause is the lack of atomic database operations in the user registration flow. The three database operations (CHECK, CREATE, DELETE) are executed sequentially without being wrapped in a database transaction. This non-atomic design allows concurrent requests to interleave their execution, bypassing the intended single-use constraint of invite tokens.
Attack Vector
The attack exploits the network-accessible registration endpoint. An attacker with access to a valid single-use invite token can send multiple concurrent HTTP requests to the /api/trpc/user.register endpoint. By timing these requests to arrive simultaneously, the attacker can create multiple user accounts before the invite token is invalidated.
The attack requires low privileges (possession of a valid invite token) and can be executed over the network. The exploitation window exists during the brief period between token validation and token deletion, making it a classic TOCTOU race condition scenario.
Detection Methods for CVE-2026-32602
Indicators of Compromise
- Multiple user accounts created with timestamps within milliseconds of each other
- Unusual patterns of concurrent registration requests in web server logs
- Multiple successful registrations from the same IP address in rapid succession
- Audit logs showing multiple accounts associated with the same invite token identifier
Detection Strategies
- Monitor authentication logs for unusual registration patterns with multiple accounts created in sub-second timeframes
- Implement rate limiting detection to identify burst registration attempts to the /api/trpc/user.register endpoint
- Review database audit logs for user creation events that coincide with invite token usage anomalies
- Deploy web application firewall (WAF) rules to detect and alert on concurrent registration attempts
Monitoring Recommendations
- Enable detailed logging for the user registration endpoint including request timestamps and source IPs
- Set up alerts for multiple user registrations originating from the same IP within a short time window
- Monitor for unexpected increases in user account creation rates
- Implement database-level auditing to track invite token lifecycle events
How to Mitigate CVE-2026-32602
Immediate Actions Required
- Upgrade Homarr to version 1.57.0 or later immediately
- Review existing user accounts for potential unauthorized registrations
- Audit invite token usage logs to identify any exploitation attempts
- Consider temporarily disabling invite-based registration until the patch is applied
Patch Information
The vulnerability is fixed in Homarr version 1.57.0. Organizations should update their Homarr installations to this version or later. The fix implements proper atomic database transactions around the registration flow, ensuring that the CHECK, CREATE, and DELETE operations execute atomically.
For more details, refer to the GitHub Security Advisory.
Workarounds
- Disable invite-based user registration until the patch can be applied
- Implement network-level rate limiting on the /api/trpc/user.register endpoint to reduce exploitation success
- Use a reverse proxy to throttle concurrent requests to registration endpoints
- Monitor and manually review all new user registrations during the vulnerable period
# Example: Rate limiting configuration for nginx reverse proxy
# Limit registration endpoint to 1 request per second per IP
limit_req_zone $binary_remote_addr zone=register:10m rate=1r/s;
location /api/trpc/user.register {
limit_req zone=register burst=1 nodelay;
proxy_pass http://homarr_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
