cronmaster: Middleware authentication bypass enabling unauthorized page access and server-action...

8.3 / 10

HIGH

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L

Description

Cr*nMaster (cronmaster) is a Cronjob management UI with human readable syntax, live logging and log history for cronjobs. Prior to version 2.2.0, an authentication bypass in middleware allows unauthenticated requests with an invalid session cookie to be treated as authenticated when the middleware’s session-validation fetch fails. This can result in unauthorized access to protected pages and unauthorized execution of privileged Next.js Server Actions. This issue has been patched in version 2.2.0.

Basic Information

ID CVE-2026-34072

Source GitHub_M

Published Apr 1, 2026 at 16:51

Modified Apr 1, 2026 at 17:45

Affected Product

Vendor fccview

Product cronmaster

Version < 2.2.0

Affected Versions fccview cronmaster < 2.2.0

CWE Classification

CWE-287 CWE-306 CWE-693

References

{
    "lastseen": "",
    "description": "Cr*nMaster (cronmaster) is a Cronjob management UI with human readable syntax, live logging and log history for cronjobs. Prior to version 2.2.0, an authentication bypass in middleware allows unauthenticated requests with an invalid session cookie to be treated as authenticated when the middleware\u2019s session-validation fetch fails. This can result in unauthorized access to protected pages and unauthorized execution of privileged Next.js Server Actions. This issue has been patched in version 2.2.0.",
    "published": "2026-04-01T16:51:33.306Z",
    "modified": "2026-04-01T17:45:11.248Z",
    "type": "cve",
    "title": "cronmaster: Middleware authentication bypass enabling unauthorized page access and server-action execution",
    "source": "GitHub_M",
    "references": "https://github.com/fccview/cronmaster/security/advisories/GHSA-9whh-mffv-xvh6\nhttps://github.com/fccview/cronmaster/releases/tag/2.2.0",
    "id": "CVE-2026-34072",
    "bulletinFamily": "",
    "cwe": [
        "CWE-287",
        "CWE-306",
        "CWE-693"
    ],
    "cvelist": null,
    "sourceData": "fccview cronmaster < 2.2.0",
    "sourceHref": "",
    "cvss": {
        "score": 8.3,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:L",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "cronmaster",
    "version": "< 2.2.0",
    "vendor": "fccview",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

cronmaster: Middleware authentication bypass enabling unauthorized page access and server-action execution_CVE-2026-34072