{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/passwordpusher-before-2.9.2/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[{"cvss":7.5,"id":"CVE-2026-61458"}],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["PasswordPusher before 2.9.2"],"_cs_severities":["high"],"_cs_tags":["vulnerability","brute-force","web-application","credential-access"],"_cs_type":"advisory","_cs_vendors":["pglombardo"],"content_html":"\u003cp\u003eCVE-2026-61458 identifies a critical brute-force vulnerability in PasswordPusher versions preceding 2.9.2, impacting the application's ability to secure pushed secrets. The vulnerability specifically targets the \u003ccode\u003ePOST /p/:token/access\u003c/code\u003e endpoint, which is designed to allow recipients to retrieve a secret using a passphrase and a valid push token. However, this endpoint lacks essential security controls, including route-specific rate limiting and per-push lockout mechanisms. This oversight allows an attacker who has obtained a valid push token (e.g., through social engineering or data exposure) to conduct a high-volume, automated brute-force attack against the associated passphrase. Attackers can attempt to guess passphrases at a rate of approximately 120 attempts per minute without triggering any defenses, making short or dictionary-derived passphrases easily recoverable within a short timeframe, thereby compromising sensitive information.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker obtains a valid PasswordPusher \u0026quot;push token\u0026quot; through various means, such as social engineering, data breach, or misconfiguration.\u003c/li\u003e\n\u003cli\u003eThe attacker initiates a series of automated HTTP POST requests targeting the \u003ccode\u003ePOST /p/:token/access\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eEach POST request includes a systematically guessed passphrase as part of the request body or parameters.\u003c/li\u003e\n\u003cli\u003eThe PasswordPusher application processes each passphrase attempt without applying any route-specific rate limiting, allowing for a rapid succession of guesses.\u003c/li\u003e\n\u003cli\u003eThe application also lacks per-push lockout mechanisms, meaning an incorrect guess does not temporarily block further attempts for that specific push.\u003c/li\u003e\n\u003cli\u003eThe attacker continues to send passphrase guesses at a rate of approximately 120 attempts per minute.\u003c/li\u003e\n\u003cli\u003eUpon a successful passphrase guess, the application grants access, and the attacker retrieves the sensitive secret associated with the push token.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-61458 allows attackers to bypass passphrase protection on PasswordPusher secrets. This can lead to the unauthorized disclosure of sensitive data, including credentials, private keys, or other confidential information that users share via the platform. Organizations relying on PasswordPusher for secure secret sharing are at risk of data breaches, especially if users employ short or easily guessable passphrases. The lack of throttling mechanisms makes these secrets highly susceptible to recovery, potentially compromising a large number of sensitive pushes across the affected PasswordPusher instances.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003ePatch CVE-2026-61458 immediately by updating all PasswordPusher instances to version 2.9.2 or later.\u003c/li\u003e\n\u003cli\u003eImplement network-level rate limiting on web application firewalls (WAF) or load balancers for the \u003ccode\u003e/p/:token/access\u003c/code\u003e endpoint to mitigate brute-force attempts.\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule below to your SIEM and tune for your environment by setting appropriate thresholds for the number of requests within a given timeframe from a single source IP.\u003c/li\u003e\n\u003cli\u003eEnable comprehensive web server access logging to monitor for unusual patterns of POST requests to the \u003ccode\u003e/p/:token/access\u003c/code\u003e endpoint from single source IPs, which could indicate a brute-force attack.\u003c/li\u003e\n\u003cli\u003eEducate users on the importance of using long, complex, and unique passphrases for PasswordPusher pushes to increase the time and computational resources required for successful brute-forcing.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-07-13T22:20:47Z","date_published":"2026-07-13T22:20:47Z","id":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-61458/","summary":"A brute-force vulnerability, tracked as CVE-2026-61458, exists in PasswordPusher versions prior to 2.9.2, allowing attackers with a known push token to systematically guess passphrases at high rates due to a lack of route-specific rate limiting and per-push lockout mechanisms on the POST /p/:token/access endpoint, potentially leading to the recovery of sensitive secrets within hours or days.","title":"CVE-2026-61458 Brute-Force Vulnerability in PasswordPusher","url":"https://feed.craftedsignal.io/briefs/2026-07-cve-2026-61458/"}],"language":"en","title":"CraftedSignal Threat Feed - PasswordPusher Before 2.9.2","version":"https://jsonfeed.org/version/1.1"}