CVE-2026-41308 Overview
CVE-2026-41308 is an authentication bypass vulnerability in Password Pusher, an open source application used to share sensitive information over the web. Versions prior to 1.69.3 and 2.4.2 allow unauthenticated creation of file-type pushes through a generic JSON API create path under certain configurations. The flaw bypasses the intended authentication boundary that restricts file push creation to authorized users. The vendor pwpush has released patched versions 1.69.3 and 2.4.2 that close the bypass path. The weakness is classified under [CWE-288] Authentication Bypass Using an Alternate Path or Channel.
Critical Impact
Unauthenticated attackers can create file-type pushes via the JSON API, abusing a trusted service to host arbitrary file payloads and circumvent access controls intended for authenticated users.
Affected Products
- Password Pusher (pwpush:password_pusher) versions prior to 1.69.3 in the 1.x branch
- Password Pusher (pwpush:password_pusher) versions prior to 2.4.2 in the 2.x branch
- Self-hosted deployments exposing the JSON API create path under affected configurations
Discovery Timeline
- 2026-05-08 - CVE-2026-41308 published to NVD
- 2026-05-14 - Last updated in NVD database
Technical Details for CVE-2026-41308
Vulnerability Analysis
Password Pusher exposes a JSON API that allows clients to create pushes of multiple types, including text, URL, QR, and file. File-type pushes require authentication because they involve uploading and storing user-supplied content on the server. Prior to versions 1.69.3 and 2.4.2, a generic create path within the JSON API failed to enforce this authentication boundary for the file push type under certain configurations. An unauthenticated client could submit a crafted JSON request to the generic create endpoint and successfully provision a file-type push. The result is abuse of a trusted password-sharing service to stage attacker-controlled files behind the application's domain and TLS certificate.
Root Cause
The root cause is an inconsistent authorization check across the API surface. Authentication enforcement was implemented at the file-specific controller path but not consistently applied to the shared JSON create action that dispatches by push kind. When the request reached the generic path with a file payload, the kind-specific authorization gate was skipped. This pattern aligns with [CWE-288], where an alternate channel reaches a protected resource without enforcing the same access controls. The fix in pull request #4381 and commit 45dc251 applies the authentication requirement uniformly to file push creation regardless of the entry path.
Attack Vector
The attack vector is network-based and requires no privileges or user interaction. An attacker sends an HTTP POST request to the vulnerable JSON API create endpoint with a payload specifying a file-type push. The server processes the request and stores the uploaded file as a retrievable push, returning a shareable URL. The attacker can then distribute the resulting Password Pusher URL in phishing campaigns, leveraging the legitimate hosting domain to evade URL reputation filters. Refer to the GitHub Security Advisory GHSA-qfh8-f79c-x86c for advisory-level technical context.
Detection Methods for CVE-2026-41308
Indicators of Compromise
- Unauthenticated POST requests to the JSON API push create endpoint with a kind or type field set to file originating from external IPs
- File-type pushes appearing in the application database that lack an associated authenticated user_id
- Unexpected spikes in file upload volume or storage consumption on Password Pusher instances
- Outbound shares of Password Pusher file URLs referenced from phishing emails or external threat intelligence feeds
Detection Strategies
- Review web server and application logs for POST requests to /p.json, /f.json, or other JSON push creation routes lacking authentication headers or session cookies
- Audit the Password Pusher database for file-type push records created prior to upgrade and correlate with the originating IP and user attribution
- Deploy a reverse proxy rule that requires an authenticated session or API token on all file push creation paths as a defense-in-depth detection trigger
Monitoring Recommendations
- Alert on anonymous file push creation attempts and rate-limit unauthenticated POSTs to the JSON API
- Track storage growth on the Password Pusher uploads directory and investigate sudden anomalies
- Monitor outbound mentions of your Password Pusher domain in brand-protection and phishing intelligence feeds
How to Mitigate CVE-2026-41308
Immediate Actions Required
- Upgrade Password Pusher to version 1.69.3 (for 1.x deployments) or 2.4.2 (for 2.x deployments) without delay
- Audit existing file-type pushes and delete any records that cannot be attributed to a known authenticated user
- Rotate API tokens and review administrative accounts that have access to the affected instance
- If file pushes are not required, disable the file push feature entirely until the upgrade is applied
Patch Information
The vulnerability is fixed in Password Pusher 1.69.3 and 2.4.2. The corrective change is documented in pull request #4381 and applied in commit 45dc251. Refer to the GitHub Security Advisory GHSA-qfh8-f79c-x86c for the official remediation guidance.
Workarounds
- Disable file-type pushes in the application configuration if upgrading is not immediately feasible
- Place the Password Pusher instance behind an authenticating reverse proxy that blocks unauthenticated access to JSON API create paths
- Restrict network access to the Password Pusher instance to authenticated VPN or SSO users until the patched version is deployed
# Example: block unauthenticated file push creation at an nginx reverse proxy
location ~ ^/(p|f)\.json$ {
if ($http_authorization = "") {
return 401;
}
proxy_pass http://passwordpusher_upstream;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
