CVE-2026-22104

Hashtopolis · Server

Hashtopolis server contains an authorization bypass vulnerability in the web interface chunk activity component, allowing authenticated users to access unauthorized data.

Executive summary

An authorization bypass vulnerability in the Hashtopolis server allows authenticated users to access sensitive data, posing a significant risk to data confidentiality.

Vulnerability

The application suffers from an improper access control flaw (CWE-639) within the chunk activity component of the web interface. This vulnerability requires the attacker to have low-level privileges to successfully exploit the authorization bypass.

Business impact

The successful exploitation of this vulnerability leads to unauthorized access to sensitive information, potentially resulting in data exfiltration or the compromise of internal processing tasks. With a CVSS score of 7.1, this represents a high-severity risk that could undermine the integrity of password cracking or distributed computing operations managed by the server.

Remediation

Immediate Action: Update the Hashtopolis server to version 0.14.8 or later to incorporate the vendor-supplied security patch.

Proactive Monitoring: Review web interface access logs for unusual patterns or access requests to the chunk activity component that deviate from standard operational behavior.

Compensating Controls: Implement strict network access controls to limit access to the Hashtopolis interface to trusted administrative subnets, reducing the attack surface.

Exploitation status

Public Exploit Available: Unknown

Analyst recommendation

Given the potential for unauthorized data access, administrators should treat this update with high priority. We strongly recommend applying the patch to version 0.14.8 immediately to prevent potential exploitation by malicious actors who have gained low-level access to the environment.