Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2026-50635

CVE-2026-50635: LimeSurvey Auth Bypass Vulnerability

CVE-2026-50635 is an authentication bypass flaw in LimeSurvey allowing attackers to hijack accounts via Host header manipulation in password resets. This post covers technical details, affected versions, and mitigations.

Published:

CVE-2026-50635 Overview

CVE-2026-50635 is a host header injection vulnerability in LimeSurvey that enables account takeover through the password reset workflow. LimeSurvey builds password-reset URLs from the client-supplied HTTP Host header without validation. The optional allowedHosts allowlist remains undefined in default and documented configurations, causing LSHttpRequest::checkIsAllowedHost() to perform no validation. A remote, unauthenticated attacker who knows a target's username and email can submit a forgotten-password request with a spoofed Host header. LimeSurvey then emails the victim a reset link pointing to an attacker-controlled host while embedding the genuine validation_key. The flaw is tracked under [CWE-640: Weak Password Recovery Mechanism for Forgotten Password].

Critical Impact

Unauthenticated attackers can hijack LimeSurvey accounts by capturing valid password reset tokens leaked through automated link scanners or recipient clicks.

Affected Products

  • LimeSurvey (open-source survey platform)
  • Installations using default configuration without allowedHosts defined
  • Deployments exposing the forgotten-password endpoint to untrusted networks

Discovery Timeline

  • 2026-06-09 - CVE-2026-50635 published to NVD
  • 2026-06-09 - Last updated in NVD database

Technical Details for CVE-2026-50635

Vulnerability Analysis

The vulnerability resides in LimeSurvey's password reset workflow. When a user submits a forgotten-password request, the application constructs the reset URL using the Host header from the incoming HTTP request. The framework offers LSHttpRequest::checkIsAllowedHost() as a defense, but this method depends on the allowedHosts configuration array. In the default and documented configuration, allowedHosts is undefined, so the check returns without enforcing any restriction. An attacker who knows the victim's username and email can submit the reset request with a forged Host header pointing to attacker-controlled infrastructure. LimeSurvey generates a legitimate validation_key and emails the victim a link that combines the attacker's hostname with the genuine token. When the victim clicks the link, or when an inbound mail-security scanner automatically dereferences URLs, the attacker's server receives the valid token. The attacker then replays that token against the legitimate LimeSurvey newPassword endpoint to set a new password and assume control of the account.

Root Cause

The root cause is trust placed in an unvalidated client-controlled input. LimeSurvey treats the HTTP Host header as authoritative for URL construction, and the validation logic ships disabled by default. This combination converts a recoverable design choice into an exploitable vulnerability for every standard deployment.

Attack Vector

The attack requires network access to the LimeSurvey forgotten-password endpoint and knowledge of the target's username and email address. No authentication or prior session is required. User interaction is needed only in the form of a clicked link or an automated link-scanning service that follows URLs in inbound mail. The vulnerability mechanism is described in the VulnCheck Advisory: LimeSurvey Vulnerability and addressed in the GitHub Pull Request for LimeSurvey.

Detection Methods for CVE-2026-50635

Indicators of Compromise

  • Outbound password reset emails containing hostnames that do not match the canonical LimeSurvey deployment URL
  • HTTP requests to /index.php/admin/authentication/sa/forgotpassword or equivalent reset endpoints carrying Host headers inconsistent with the server's expected FQDN
  • Successful newPassword endpoint invocations originating from IP addresses that did not initiate the corresponding reset request

Detection Strategies

  • Inspect web server access logs for mismatches between the Host header and the configured server name across forgotten-password requests
  • Correlate reset email delivery records with subsequent newPassword submissions from unrelated source IPs within short time windows
  • Alert on outbound mail containing reset URLs whose domains differ from the approved application hostname

Monitoring Recommendations

  • Enable verbose logging on the LimeSurvey authentication controller and forward events to a centralized log platform
  • Monitor authentication audit trails for unexpected password changes followed by logins from new geographies or user agents
  • Track repeated forgotten-password submissions targeting the same account, which may indicate reconnaissance of valid username and email pairs

How to Mitigate CVE-2026-50635

Immediate Actions Required

  • Define the allowedHosts array in the LimeSurvey configuration to explicitly list every legitimate hostname serving the application
  • Upgrade to the LimeSurvey release that incorporates the fix from LimeSurvey Pull Request 5032
  • Force a password reset for any account suspected of receiving a malicious reset email since deployment

Patch Information

The vendor fix is delivered through the LimeSurvey project pull request referenced in the advisory. Administrators should apply the upstream patch and verify that LSHttpRequest::checkIsAllowedHost() enforces the configured allowlist. Refer to the LimeSurvey Official Website for release notes and the VulnCheck Advisory: LimeSurvey Vulnerability for technical context.

Workarounds

  • Configure the upstream web server (Nginx, Apache, or load balancer) to reject requests whose Host header does not match the approved FQDN
  • Set a fixed ServerName and use UseCanonicalName On in Apache, or use exact server_name matching with a default reject server block in Nginx
  • Disable or restrict the forgotten-password endpoint via network ACLs where LimeSurvey is deployed for internal-only use
bash
# Configuration example - restrict Host header at the web server
# Nginx default server block rejecting unknown Host headers
server {
    listen 443 ssl default_server;
    server_name _;
    return 444;
}

server {
    listen 443 ssl;
    server_name survey.example.com;
    # proxy_pass to LimeSurvey backend
}

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.