CVE-2026-44986
Penpot · Penpot
Penpot contains an authentication bypass vulnerability that allows registered users to hijack arbitrary accounts by manipulating invitation flows and profile registration processes.
Executive summary
A critical authentication bypass in Penpot enables authenticated users to perform unauthorized account takeovers, potentially leading to full administrative compromise.
Vulnerability
The vulnerability stems from flaws in the team invitation and profile registration logic, where session creation is improperly linked to email matching without validating password credentials. This allows a user with existing access to impersonate other profiles by manipulating the registration sequence.
Business impact
Successful exploitation allows an attacker to gain unauthorized access to any non-blocked user account, including those with elevated privileges. With a CVSS score of 9.9, the impact includes unauthorized data access, potential intellectual property theft within design projects, and total loss of account integrity.
Remediation
Immediate Action: Upgrade Penpot to version 2.14.5 or later to resolve the authentication logic flaws.
Proactive Monitoring: Monitor user registration and invitation logs for anomalous activity, specifically frequent profile creation or suspicious associations between email addresses and user IDs.
Compensating Controls: Implement strict network-level access controls for the registration and invitation endpoints while the upgrade is being prepared.
Exploitation status
Public Exploit Available: No
Analyst recommendation
The risk of account takeover necessitates urgent action. Organizations currently running Penpot should apply the 2.14.5 update immediately to secure their user base and prevent unauthorized access to sensitive collaborative design data.