CVE-2026-61458 Brute-Force Vulnerability in PasswordPusher
A brute-force vulnerability, tracked as CVE-2026-61458, exists in PasswordPusher versions prior to 2.9.2, allowing attackers with a known push token to systematically guess passphrases at high rates due to a lack of route-specific rate limiting and per-push lockout mechanisms on the POST /p/:token/access endpoint, potentially leading to the recovery of sensitive secrets within hours or days.
CVE-2026-61458 identifies a critical brute-force vulnerability in PasswordPusher versions preceding 2.9.2, impacting the application's ability to secure pushed secrets. The vulnerability specifically targets the POST /p/:token/access endpoint, which is designed to allow recipients to retrieve a secret using a passphrase and a valid push token. However, this endpoint lacks essential security controls, including route-specific rate limiting and per-push lockout mechanisms. This oversight allows an attacker who has obtained a valid push token (e.g., through social engineering or data exposure) to conduct a high-volume, automated brute-force attack against the associated passphrase. Attackers can attempt to guess passphrases at a rate of approximately 120 attempts per minute without triggering any defenses, making short or dictionary-derived passphrases easily recoverable within a short timeframe, thereby compromising sensitive information.
Attack Chain
- An attacker obtains a valid PasswordPusher "push token" through various means, such as social engineering, data breach, or misconfiguration.
- The attacker initiates a series of automated HTTP POST requests targeting the
POST /p/:token/accessendpoint. - Each POST request includes a systematically guessed passphrase as part of the request body or parameters.
- The PasswordPusher application processes each passphrase attempt without applying any route-specific rate limiting, allowing for a rapid succession of guesses.
- The application also lacks per-push lockout mechanisms, meaning an incorrect guess does not temporarily block further attempts for that specific push.
- The attacker continues to send passphrase guesses at a rate of approximately 120 attempts per minute.
- Upon a successful passphrase guess, the application grants access, and the attacker retrieves the sensitive secret associated with the push token.
Impact
Successful exploitation of CVE-2026-61458 allows attackers to bypass passphrase protection on PasswordPusher secrets. This can lead to the unauthorized disclosure of sensitive data, including credentials, private keys, or other confidential information that users share via the platform. Organizations relying on PasswordPusher for secure secret sharing are at risk of data breaches, especially if users employ short or easily guessable passphrases. The lack of throttling mechanisms makes these secrets highly susceptible to recovery, potentially compromising a large number of sensitive pushes across the affected PasswordPusher instances.
Recommendation
- Patch CVE-2026-61458 immediately by updating all PasswordPusher instances to version 2.9.2 or later.
- Implement network-level rate limiting on web application firewalls (WAF) or load balancers for the
/p/:token/accessendpoint to mitigate brute-force attempts. - Deploy the Sigma rule below to your SIEM and tune for your environment by setting appropriate thresholds for the number of requests within a given timeframe from a single source IP.
- Enable comprehensive web server access logging to monitor for unusual patterns of POST requests to the
/p/:token/accessendpoint from single source IPs, which could indicate a brute-force attack. - Educate users on the importance of using long, complex, and unique passphrases for PasswordPusher pushes to increase the time and computational resources required for successful brute-forcing.
Detection coverage 1
Detect PasswordPusher CVE-2026-61458 Brute-Force Attempt Indicator
mediumDetects attempts to access the PasswordPusher /p/:token/access endpoint, which is vulnerable to brute-force attacks (CVE-2026-61458). Multiple events from the same source IP within a short timeframe may indicate an ongoing brute-force attack.
Detection queries are available on the platform. Get full rules →