A critical authentication bypass in Cr*nMaster permits unauthenticated attackers to gain administrative control, necessitating an immediate update to version 2.2.0.

The middleware responsible for session validation fails to correctly handle failed fetches, inadvertently treating unauthenticated requests with invalid session cookies as authenticated. This allows an unauthenticated attacker to execute privileged Next.js Server Actions without a valid session.

With a CVSS score of 8.3, this vulnerability allows unauthorized users to interact with sensitive cronjob management functions. This could lead to the modification of scheduled tasks, execution of arbitrary commands on the server, or unauthorized access to sensitive system logs, causing significant operational disruption.

Immediate Action: Update Cr*nMaster to version 2.2.0 or later to resolve the session validation flaw.

Proactive Monitoring: Review audit logs for unauthorized access attempts or unexpected execution of administrative Server Actions within the Cr*nMaster interface.

Compensating Controls: Place the Cr*nMaster management UI behind a robust reverse proxy that requires secondary authentication (e.g., OIDC, mTLS) before accessing the application.

Public Exploit Available: False

This vulnerability represents a high-risk security flaw that grants attackers unauthorized administrative access. Organizations using Cr*nMaster should prioritize the update to version 2.2.0 to ensure session integrity and prevent unauthorized command execution on their infrastructure.