MEDIUM 5.9

CVE-2026-25861: QloApps MD5 Password Hashing Vulnerability—Weak Cryptography Enables Credential Compromise

QloApps versions through 1.7.0 use MD5 to hash passwords, a cryptographic method that is computationally cheap to crack. The vulnerability is particularly severe because QloApps concatenates a static value (a cookie key) with user passwords before hashing, reducing the effective randomness of the hash. When guest accounts are automatically converted to customer accounts, the system assigns simple 8-character passwords, which are trivially recoverable through offline brute-force attacks. An attacker who gains access to the password database can extract user credentials without needing to interact with the application in real time.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.9 MEDIUM · CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N
Weaknesses (CWE)
CWE-916
Affected products
0 configuration(s)
Published / Modified
2026-06-02 / 2026-06-17

NVD description (verbatim)

QloApps through 1.7.0, fixed in commit 64e9722, contains a weak cryptographic algorithm vulnerability that allows attackers to compromise user credentials by exploiting the use of MD5 for password hashing in the Tools::encrypt() function within classes/Tools.php, which concatenates a static cookie key with the supplied password. Attackers can perform offline brute-force attacks against the MD5 hashes, with the risk compounded by auto-generated 8-character passwords assigned during guest-to-customer account conversion in classes/Customer.php, making credential recovery trivial.

3 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The Tools::encrypt() function in classes/Tools.php implements password hashing using MD5, concatenating a static cookie key with the supplied password before hashing. This design introduces two critical weaknesses: first, MD5 is deprecated for password hashing due to its collision properties and computational speed; second, the use of a static salt (the cookie key) is cryptographically insufficient because it is not unique per password and is typically discoverable through code inspection. The vulnerability is compounded in classes/Customer.php, where guest-to-customer account conversion automatically generates 8-character passwords. Such short passwords combined with MD5's speed enable rapid offline enumeration. An attacker in possession of the MD5 hashes (via database compromise or log exfiltration) can recover plaintext credentials in hours on commodity hardware.

Business impact

Customer account compromise poses direct financial and reputational risk. In a hotel or booking application context (QloApps' primary use case), compromised guest accounts enable unauthorized reservations, fraudulent bookings, and access to payment information. Attackers may also modify guest profiles or extract personal data. The low barrier to credential recovery—especially for auto-generated passwords—means a single database breach can result in widespread account takeovers. Organizations using QloApps may face liability under data protection regulations (GDPR, CCPA) if customer passwords are not adequately protected.

Affected systems

QloApps through version 1.7.0 is affected. The vulnerability exists in the core password-hashing mechanism used during customer account creation and authentication. Any installation that relies on the default Tools::encrypt() function for password storage is exposed. The issue affects both manually created accounts and auto-converted guest accounts, though the latter carries higher risk due to predictable password length.

Exploitability

Exploitation requires offline access to the password hash database, typically via SQL injection, misconfigured backups, or insider access. Once hashes are obtained, attackers can perform brute-force attacks without rate limiting. MD5 password cracking is well-established and tooling is widely available. The combination of MD5 speed and short auto-generated passwords means credentials can be recovered in minutes to hours per account. No network interaction or authentication is required during the cracking phase. The vulnerability does not require special privileges or complex attack chains.

Remediation

Upgrade to a QloApps version that includes the fix referenced in commit 64e9722, or verify with the vendor for the corresponding stable release. This fix should replace MD5 with a modern password-hashing algorithm such as bcrypt, scrypt, or Argon2 that incorporates per-password random salts. During and after upgrade, force password resets for all existing user accounts to ensure new passwords are hashed with the secure algorithm. Organizations should also audit logs and database access to identify whether hashes have been compromised.

Patch guidance

Check the QloApps release notes and vendor advisory to identify the specific version containing commit 64e9722. Apply the update following QloApps' standard deployment procedures, which typically involve database backup, code replacement, and automated migrations. Verify that the password-hashing logic has been updated to use a modern algorithm with cryptographically random salts. After patching, initiate a password reset cycle for all user accounts. If running a custom or forked version of QloApps, review the custom Tools::encrypt() implementation and apply equivalent security updates. Test the patch in a non-production environment before production deployment.

Detection guidance

Review the Tools.php file in your QloApps installation to confirm the hashing algorithm used. Search for calls to md5() or use of the static cookie key in password operations. Verify that new hashes generated post-patch use bcrypt, scrypt, or Argon2. Monitor database access logs for unusual queries targeting the customer password fields. If you suspect a breach, attempt to identify which password hashes were created before the patch and prioritize password resets for those accounts. Consider using a password analyzer tool to test whether older hashes can be quickly recovered.

Why prioritize this

Although the CVSS score is 5.9 (MEDIUM), the practical risk is elevated due to the ease of offline password recovery and the likelihood of password reuse across customer accounts and external services. The auto-generated 8-character passwords dramatically lower the computational cost of credential recovery. For SaaS or multi-tenant deployments, a single breach exposes hundreds or thousands of guest accounts. Organizations storing payment card data or personal information should treat this as high priority.

Risk score, explained

The CVSS 3.1 score of 5.9 reflects a network-accessible vulnerability (AV:N) with high complexity for exploitation (AC:H) and no special privileges required, but limited to confidentiality impact (C:H/I:N/A:N). The AC:H factor accounts for the requirement to obtain the password hash database first. However, this underweights the practical risk: once hashes are accessible, the confidentiality impact is nearly certain due to MD5's computational speed and the weakness of auto-generated passwords. Organizations with strict data protection mandates should consider this a higher priority than the CVSS score alone suggests.

Frequently asked questions

What does the static cookie key in Tools::encrypt() do, and why is it a problem?

The cookie key is a fixed string embedded in the source code, used as a salt for hashing. A proper salt should be random and unique per password; a static salt is publicly discoverable and provides no protection against rainbow table attacks. Attackers who know the cookie key can pre-compute MD5 hashes for common passwords and 8-character variations, making lookups instantaneous.

Are auto-generated passwords during guest conversion really that weak?

Yes. Eight-character passwords generated by the system likely follow a predictable pattern (e.g., random alphanumeric). The effective keyspace is much smaller than a user-chosen password. Combined with MD5, an attacker can exhaust the search space in minutes using a GPU or ASIC hardware, especially if the generator uses a limited character set.

Do we need to do anything if we've already patched?

Yes. Patching the code prevents new weak hashes from being created, but existing hashes remain vulnerable. Conduct a forced password reset for all users. During reset, verify that new passwords are hashed with the upgraded algorithm. Investigate whether password hashes were ever exfiltrated or logged in plaintext.

What should we use to replace MD5 for password hashing?

Use bcrypt, scrypt, Argon2, or PBKDF2 with a high iteration count. These algorithms incorporate random per-password salts by default and are computationally expensive, making brute-force attacks infeasible. Argon2 is the current NIST-recommended standard for password hashing.

This analysis is provided for informational purposes and reflects the state of the vulnerability as of the publication date. Security teams should verify patch availability and version information directly with the QloApps vendor before taking action. This explanation does not constitute legal or compliance advice. Organizations should assess their specific risk context, data classification, and regulatory requirements when prioritizing remediation. Always test patches in non-production environments before deployment to production systems. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).