PatchSiren cyber security CVE debrief
CVE-2026-50635 LimeSurvey CVE debrief
CVE-2026-50635 is a HIGH-severity vulnerability in LimeSurvey, a popular open-source survey software. The issue arises from LimeSurvey's insecure handling of the HTTP Host header when generating password reset links. Specifically, the software constructs these links without proper validation of the Host header, which is supplied by the client. This oversight enables a remote, unauthenticated attacker to submit a forgotten-password request for a known account with a spoofed Host header. As a result, LimeSurvey emails the account a reset link with an attacker-controlled hostname, embedding the genuine validation_key. When the recipient or an automated inbound mail-security link scanner accesses this link, the valid reset token is disclosed to the attacker. The attacker can then replay this token against the legitimate host's newPassword endpoint to set a new password and take over the account. The vulnerability has a CVSS score of 8.7, indicating a high level of severity. The CVE was published on 2026-06-09T18:17:10.273Z and last modified on 2026-06-09T19:36:10.547Z.
- Vendor
- LimeSurvey
- Product
- Unknown
- CVSS
- HIGH 8.7
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-09
- Original CVE updated
- 2026-06-09
- Advisory published
- 2026-06-09
- Advisory updated
- 2026-06-09
Who should care
Users of LimeSurvey, especially those who have not applied the necessary patches or updates, should be aware of this vulnerability. The issue affects the default configuration of LimeSurvey, as the optional allowedHosts allowlist is undefined. This means that many users may be vulnerable out-of-the-box. Security teams and administrators responsible for survey software should prioritize patching or mitigating this vulnerability to prevent potential account takeovers.
Technical summary
The vulnerability exists in LimeSurvey's password reset functionality. When a user requests a password reset, LimeSurvey generates a reset link based on the HTTP Host header provided by the client. Without proper validation, an attacker can manipulate this header to create a link with an attacker-controlled hostname. This link, when accessed, reveals the valid reset token to the attacker, allowing them to reset the password and gain control of the account.
Defensive priority
High
Recommended defensive actions
- Apply patches or updates provided by LimeSurvey to address this vulnerability.
- Configure the allowedHosts setting to restrict which hosts can be used for password reset links.
- Implement additional security measures for password reset processes, such as requiring additional authentication factors.
- Monitor for suspicious password reset requests and account activities.
Evidence notes
The CVE record and details were obtained from official sources, including CVE.org and the National Vulnerability Database (NVD). Additional information was gathered from LimeSurvey's GitHub repository and VulnCheck's advisory.
Official resources
CVE-2026-50635 was published on 2026-06-09T18:17:10.273Z and last modified on 2026-06-09T19:36:10.547Z.