moltenbitI audited #OpenReception, a recently released open-source appointment booking platform. Found and reported 16 vulnerabilities, now 16 CVEs assigned.
4 critical:
- WebAuthn passkey injection → account takeover
- tenant admin self-promotes to GLOBAL_ADMIN
- unauth GLOBAL_ADMIN account creation
- staff crypto poisoning breaks the E2E recipient directory
rest: info disclosure, stored XSS, auth and IDOR bugs, all patched before public disclosure.
Disclosures
Security vulnerabilities I have responsibly disclosed. All findings were reported to the affected vendors and patched before public disclosure. CVE / ID Product Summary Severity Date References CVE-2026-48088 OpenReception unauthenticated staff crypto poisoning breaks E2E recipient directory Critical (9.4) 2026-05-20 CVE, GHSA CVE-2026-48087 OpenReception WebAuthn passkey injection allows account takeover Critical (9.8) 2026-05-20 CVE, GHSA CVE-2026-48086 OpenReception tenant admin self-promotes to GLOBAL_ADMIN Critical (9.9) 2026-05-20 CVE, GHSA CVE-2026-48085 OpenReception unauthenticated GLOBAL_ADMIN account creation post-bootstrap Critical (9.8) 2026-05-20 CVE, GHSA CVE-2026-48084 OpenReception passphrase login attempts are not rate-limited High (7.4) 2026-05-20 CVE, GHSA CVE-2026-48083 OpenReception unauthenticated POST /api/log accepts arbitrary content with CRLF injection and no size or rate limits Moderate (6.5) 2026-05-20 CVE, GHSA CVE-2026-48082 OpenReception bootstrap challenge proof-of-work difficulty hardcoded to 16 bits enables abuse rate amplification Low (3.7) 2026-05-20 CVE, GHSA CVE-2026-48081 OpenReception stored click-triggered XSS via javascript: tenant links rendered into patient-facing footer High (8.1) 2026-05-20 CVE, GHSA CVE-2026-48080 OpenReception tenant detail endpoint discloses live PostgreSQL connection string, superuser-scoped in the tested official deployment High (8.0) 2026-05-20 CVE, GHSA CVE-2026-48079 OpenReception logout page clears local access_token before server-side revocation, leaving duplicated tokens valid until expiry High (7.4) 2026-05-20 CVE, GHSA CVE-2026-48078 OpenReception schedule endpoint discloses isPublic=false channels and slot availability to unauthenticated callers Moderate (5.3) 2026-05-20 CVE, GHSA CVE-2026-48077 OpenReception GET appointment by ID returns full appointment record without authorization Moderate (5.3) 2026-05-20 CVE, GHSA CVE-2026-48076 OpenReception bootstrap booking flow allows unauthenticated booking on isPublic=false channels Moderate (6.5) 2026-05-20 CVE, GHSA CVE-2026-48075 OpenReception unauthenticated add-to-tunnel endpoint accepts arbitrary appointment injections Moderate (6.5) 2026-05-20 CVE, GHSA CVE-2026-48074 OpenReception staff deletion removes pending invites cross-tenant by email match Low (2.7) 2026-05-20 CVE, GHSA CVE-2026-48071 OpenReception client PIN challenge throttle is keyed by emailHash only, allowing cross-tenant lockout Moderate (5.8) 2026-05-20 CVE, GHSA CVE-2026-6965 Tutor LMS WordPress Plugin insecure direct object reference leading to authenticated arbitrary post deletion via course GET parameter Moderate (5.3) 2026-05-12 CVE, Wordfence CVE-2026-34782 Zammad missing authorization in AI assistance controller for text tools Moderate (5.3) 2026-04-08 CVE, GHSA, Blog post CVE-2026-34837 Zammad missing authorization in AI assistance controller for context data used in text tools Moderate (5.3) 2026-04-08 CVE, GHSA, Blog post CVE-2026-34721 Zammad cross-site request forgery (CSRF) in OAuth callback endpoints Moderate (5.9) 2026-04-08 CVE, GHSA MSRC Acknowledgment Microsoft Online Services vulnerability in Microsoft Online Services — 2026-03-31 MSRC Acknowledgements CVE-2025-30201 Wazuh bypass of UNC path mitigation in Windows OSQuery via \\?\UNC\ High (7.1) 2025-03-17 CVE, GHSA, Blog post
Dipl.Psych. Manuel Stein
Marcel SIneM(S)US
villon
Dr. M. Haegele
Stefan Münz
🇺🇦 Lauteshirn 🏳️🌈
simsalabim
marzuq märzenbecher