Description
PasswordPusher before 2.9.2 contains a brute-force vulnerability in the POST /p/:token/access endpoint that lacks route-specific rate limiting and per-push lockout mechanisms. Attackers who know a push token can systematically guess passphrases at 120 attempts per minute without triggering any push-level defense, making short or dictionary-derived passphrases practically recoverable within hours or days.
Published: 2026-07-13
Score: 8.7 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Analysis and contextual insights are available on OpenCVE Cloud.

Remediation

No vendor fix or workaround currently provided.

Additional remediation guidance may be available on OpenCVE Cloud.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 14 Jul 2026 22:30:00 +0000

Type Values Removed Values Added
First Time appeared Apnotic
Apnotic password Pusher
CPEs cpe:2.3:a:apnotic:password_pusher:*:*:*:*:*:*:*:*
Vendors & Products Apnotic
Apnotic password Pusher

Tue, 14 Jul 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 13 Jul 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Pglombardo
Pglombardo password Pusher
Vendors & Products Pglombardo
Pglombardo password Pusher

Mon, 13 Jul 2026 21:45:00 +0000

Type Values Removed Values Added
Description PasswordPusher before 2.9.2 contains a brute-force vulnerability in the POST /p/:token/access endpoint that lacks route-specific rate limiting and per-push lockout mechanisms. Attackers who know a push token can systematically guess passphrases at 120 attempts per minute without triggering any push-level defense, making short or dictionary-derived passphrases practically recoverable within hours or days.
Title PasswordPusher < 2.9.2 Passphrase Brute-Force via Unthrottled Endpoint
Weaknesses CWE-307
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 8.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}


Subscriptions

Apnotic Password Pusher
Pglombardo Password Pusher
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-07-14T22:03:37.558Z

Reserved: 2026-07-09T14:07:55.624Z

Link: CVE-2026-61458

cve-icon Vulnrichment

Updated: 2026-07-14T14:25:20.637Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-16T08:15:04Z

Weaknesses