<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>Pglombardo - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/vendors/pglombardo/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Mon, 13 Jul 2026 22:20:47 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/vendors/pglombardo/feed.xml" rel="self" type="application/rss+xml"/><item><title>CVE-2026-61458 Brute-Force Vulnerability in PasswordPusher</title><link>https://feed.craftedsignal.io/briefs/2026-07-cve-2026-61458/</link><pubDate>Mon, 13 Jul 2026 22:20:47 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2026-07-cve-2026-61458/</guid><description>A brute-force vulnerability, tracked as CVE-2026-61458, exists in PasswordPusher versions prior to 2.9.2, allowing attackers with a known push token to systematically guess passphrases at high rates due to a lack of route-specific rate limiting and per-push lockout mechanisms on the POST /p/:token/access endpoint, potentially leading to the recovery of sensitive secrets within hours or days.</description><content:encoded><![CDATA[<p>CVE-2026-61458 identifies a critical brute-force vulnerability in PasswordPusher versions preceding 2.9.2, impacting the application's ability to secure pushed secrets. The vulnerability specifically targets the <code>POST /p/:token/access</code> endpoint, which is designed to allow recipients to retrieve a secret using a passphrase and a valid push token. However, this endpoint lacks essential security controls, including route-specific rate limiting and per-push lockout mechanisms. This oversight allows an attacker who has obtained a valid push token (e.g., through social engineering or data exposure) to conduct a high-volume, automated brute-force attack against the associated passphrase. Attackers can attempt to guess passphrases at a rate of approximately 120 attempts per minute without triggering any defenses, making short or dictionary-derived passphrases easily recoverable within a short timeframe, thereby compromising sensitive information.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker obtains a valid PasswordPusher &quot;push token&quot; through various means, such as social engineering, data breach, or misconfiguration.</li>
<li>The attacker initiates a series of automated HTTP POST requests targeting the <code>POST /p/:token/access</code> endpoint.</li>
<li>Each POST request includes a systematically guessed passphrase as part of the request body or parameters.</li>
<li>The PasswordPusher application processes each passphrase attempt without applying any route-specific rate limiting, allowing for a rapid succession of guesses.</li>
<li>The application also lacks per-push lockout mechanisms, meaning an incorrect guess does not temporarily block further attempts for that specific push.</li>
<li>The attacker continues to send passphrase guesses at a rate of approximately 120 attempts per minute.</li>
<li>Upon a successful passphrase guess, the application grants access, and the attacker retrieves the sensitive secret associated with the push token.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-61458 allows attackers to bypass passphrase protection on PasswordPusher secrets. This can lead to the unauthorized disclosure of sensitive data, including credentials, private keys, or other confidential information that users share via the platform. Organizations relying on PasswordPusher for secure secret sharing are at risk of data breaches, especially if users employ short or easily guessable passphrases. The lack of throttling mechanisms makes these secrets highly susceptible to recovery, potentially compromising a large number of sensitive pushes across the affected PasswordPusher instances.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Patch CVE-2026-61458 immediately by updating all PasswordPusher instances to version 2.9.2 or later.</li>
<li>Implement network-level rate limiting on web application firewalls (WAF) or load balancers for the <code>/p/:token/access</code> endpoint to mitigate brute-force attempts.</li>
<li>Deploy the Sigma rule below to your SIEM and tune for your environment by setting appropriate thresholds for the number of requests within a given timeframe from a single source IP.</li>
<li>Enable comprehensive web server access logging to monitor for unusual patterns of POST requests to the <code>/p/:token/access</code> endpoint from single source IPs, which could indicate a brute-force attack.</li>
<li>Educate users on the importance of using long, complex, and unique passphrases for PasswordPusher pushes to increase the time and computational resources required for successful brute-forcing.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>vulnerability</category><category>brute-force</category><category>web-application</category><category>credential-access</category></item></channel></rss>