The affected software contains a critical unauthenticated API vulnerability that allows attackers to hijack user accounts by changing password recovery email addresses.

This vulnerability involves the exposure of a sensitive API endpoint that does not require authentication. An unauthenticated remote attacker can call this endpoint to change the recovery email associated with any user account.

Successful exploitation leads to widespread account takeovers, potentially including administrative accounts. The CVSS score of 9.8 underscores the critical risk of unauthorized access to sensitive data and the total loss of user identity integrity.

Immediate Action: Update the affected software to the latest version to secure the API endpoint and enforce proper authentication checks.

Proactive Monitoring: Audit account modification logs for unexpected changes to recovery email addresses and monitor API traffic for unauthorized requests to sensitive endpoints.

Compensating Controls: Deploy a Web Application Firewall (WAF) to block access to the vulnerable API endpoint until a permanent patch can be applied.

Public Exploit Available: false

The ability for unauthenticated attackers to redirect password resets makes this a high-priority threat. Organizations must apply the vendor-provided security updates immediately to prevent large-scale account compromises.