MEDIUM 5.4

CVE-2026-45778: OpenXDMoD Stored XSS and Account Takeover via Password Reset Abuse

OpenXDMoD, an open-source HPC (High Performance Computing) metrics collection and analysis framework, contains a stored cross-site scripting (XSS) vulnerability in user profiles combined with a password reset abuse vector. An authenticated attacker can inject malicious JavaScript into their profile, then weaponize the password reset feature to send victims a crafted link. When a victim clicks the link, the attacker's payload executes in their browser, enabling credential theft and account hijacking. All versions prior to 11.0.3 are affected.

Source data · NVD / CISA · public domain

CVSS
3.1 · 5.4 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
Weaknesses (CWE)
CWE-79
Affected products
1 configuration(s)
Published / Modified
2026-06-05 / 2026-06-17

NVD description (verbatim)

OpenXDMoD is an open framework for collecting and analyzing HPC metrics. Prior to version 11.0.3, an authenticated attacker can inject malicious JavaScript into their Open XDMoD user profile and abuse the password reset functionality to email a link to an HTML page, which when visited by the victim, reflects and executes the unsanitized payload in the victim's browser, potentially leading to credential capture and Open XDMoD account takeover. All deployments of Open XDMoD prior to 11.0.3 are impacted. This issue was reported privately on 2026-04-06, and at this time there is no evidence that this vulnerability has been exploited in the wild. The vulnerability was patched in Open XDMoD 11.0.3 on 2026-05-12. As a workaround, apply the patch manually.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The vulnerability is a stored XSS flaw (CWE-79) in OpenXDMoD's user profile functionality paired with improper sanitization of HTML in password reset emails. An attacker with valid credentials crafts a malicious JavaScript payload and stores it in their profile. When the attacker triggers the password reset feature and provides a victim's email address, the system generates a reset link containing an HTML page that reflects the unsanitized profile data. The reflected content executes in the victim's browser context, bypassing Same-Origin Policy protections due to the cross-site (S:C) scope. The attack requires user interaction (UI:R) — specifically that the victim click the password reset link — but no additional privileges or complex exploitation steps.

Business impact

This vulnerability poses a direct threat to account security within HPC environments, which often manage sensitive research data and computational resources. Attackers can impersonate legitimate users, access their research outputs, modify job submissions, or pivot to connected systems. In multi-tenant HPC facilities, compromised accounts create lateral movement opportunities. The impact is amplified in environments where OpenXDMoD credentials are shared or reused across other systems. For organizations relying on OpenXDMoD for resource accountability and metering, account takeover disrupts audit trails and compliance reporting.

Affected systems

All OpenXDMoD deployments prior to version 11.0.3 are vulnerable. This includes standalone deployments and those integrated into larger HPC infrastructure. The vulnerability requires the attacker to already possess valid OpenXDMoD credentials; public-facing instances with open registration or instances accessible to insider threats are at heightened risk. No evidence of exploitation in the wild as of the publication date.

Exploitability

Exploitability is moderate. The attack requires an authenticated account (reducing the pool of potential attackers to internal users or those with compromised credentials), but once inside, the attack chain is straightforward: inject payload, trigger password reset, send link to target. The victim interaction requirement (clicking the reset link) is a realistic social engineering scenario, especially if the attacker crafts a convincing pretext. No complex tooling or advanced evasion is needed. The vulnerability does not lead to remote code execution on the server or privilege escalation beyond account takeover.

Remediation

Immediately upgrade OpenXDMoD to version 11.0.3 or later, released 2026-05-12. The patch includes input sanitization in user profiles and proper output encoding in password reset emails. For organizations unable to upgrade immediately, the vendor recommends manual patching; verify the specific patch availability in the OpenXDMoD advisory. No supported versions prior to 11.0.3 are mentioned as receiving backports.

Patch guidance

Apply OpenXDMoD 11.0.3 or later. Follow the vendor's upgrade documentation to ensure configuration and data preservation. Test the upgrade in a non-production environment first to validate compatibility with any local customizations. If immediate patching is infeasible, the vendor notes that manual patching is available as a temporary workaround; refer to the official advisory for patch details and application steps. Verify patch application by confirming the version string in the OpenXDMoD web interface.

Detection guidance

Monitor for signs of profile injection attempts: watch for unusual character sequences in user profile updates (especially JavaScript keywords, HTML tags, event handlers). Log and alert on suspicious password reset requests, particularly those targeting high-privilege accounts or sent in rapid succession. Review password reset email logs for requests originating from internal users. In web proxy or application firewall logs, look for encoded JavaScript payloads in POST requests to profile endpoints. Audit successful logins shortly after password reset events to detect account takeovers. Review audit logs for changes to user roles or permissions following suspected exploitation.

Why prioritize this

Despite a MEDIUM CVSS score (5.4), this vulnerability merits prompt attention because it enables account takeover in an environment managing computational resources and potentially sensitive research data. The attack requires only valid credentials (an insider threat or credential compromise scenario) and basic social engineering. HPC facilities often have limited security monitoring relative to enterprise IT, making detection harder post-exploitation. The six-day gap between private disclosure (2026-04-06) and public release (2026-06-05) suggests responsible disclosure was followed, reducing the window of unpatched exposure. However, the lack of KEV status and no evidence of in-the-wild exploitation suggest lower immediate threat. Prioritize based on organizational risk: high if OpenXDMoD is exposed to untrusted users or if credential compromise is a concern; moderate for internal-only deployments with strong access controls.

Risk score, explained

The CVSS 3.1 score of 5.4 (MEDIUM) reflects several factors: Network accessibility (AV:N) and low attack complexity (AC:L) increase reach; however, the requirement for prior authentication (PR:L) significantly reduces the threat surface. User interaction (UI:R) further constraints exploitability. The impact is limited to confidentiality and integrity (C:L, I:L) with no availability impact (A:N), as the attacker cannot disrupt the service itself. The changed scope (S:C) acknowledges that the payload executes in the victim's browser outside the original security boundary. The score appropriately reflects a serious but not critical vulnerability; elevation to HIGH would require unauthenticated access or broader impact.

Frequently asked questions

Do I need valid OpenXDMoD credentials to exploit this vulnerability?

Yes. The attacker must be able to log in and modify their own profile. This limits the threat to internal users, accounts with compromised credentials, or systems with public registration. Organizations using strict access controls or SSO integration may have a smaller attack surface.

Can an attacker use this to gain administrative access or execute code on the server?

No. The vulnerability allows account takeover of the target user's account through credential capture, not privilege escalation or server-side code execution. An attacker who compromises an admin account could potentially access admin functions, but the vulnerability itself does not bypass authentication on the server.

What should I do if I suspect my OpenXDMoD account has been compromised?

Change your password immediately using a secure channel (preferably from a different machine). Alert your OpenXDMoD administrator to review your account's login history and any profile changes. If you have reused your OpenXDMoD password elsewhere, change those credentials as well. Request your administrator check for unauthorized API access or job submissions under your account.

Is there a way to reduce risk before I can upgrade to 11.0.3?

The vendor recommends applying the manual patch if available from the advisory. Additionally, consider restricting password reset functionality through access controls or IP filtering, limiting who can access OpenXDMoD, or enforcing strong multi-factor authentication if supported. Monitor for suspicious activity as outlined in the detection guidance.

This analysis is provided for informational purposes and reflects information available as of the publication date. No warranty is made regarding accuracy, completeness, or applicability to your specific environment. Always verify CVE details, patch availability, and compatibility against official vendor advisories before deployment. Security decisions should be informed by your organization's risk assessment, network architecture, and threat model. If you believe you have been exploited, engage incident response and forensic investigation immediately. Source: NVD (public-domain), retrieved 2026-07-14. Analysis generated by SEC.co (claude-haiku-4-5).