HIGH 8.8

CVE-2026-50635: LimeSurvey Account Takeover via Host Header Injection in Password Reset

LimeSurvey has a password-reset vulnerability that lets attackers take over user accounts without needing valid credentials. When a user requests a password reset, LimeSurvey emails them a link to set a new password. The problem: the application builds that link using whatever hostname the attacker sends in their request, without validating it against a whitelist. By default, LimeSurvey doesn't enforce any allowlist at all. An attacker can submit a forgotten-password request for any known username, supply a spoofed hostname they control, and receive an email containing a valid password-reset token pointed at their malicious domain. When the legitimate user clicks the link or when email security tools scan it, the token gets exposed to the attacker, who can then use it to reset the actual account password and gain access.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.8 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-640
Affected products
0 configuration(s)
Published / Modified
2026-06-09 / 2026-06-17

NVD description (verbatim)

LimeSurvey constructs account password-reset links from the client-supplied HTTP Host header without validating it. The optional allowedHosts allowlist that would constrain this is undefined in the default (and documented) configuration, so LSHttpRequest::checkIsAllowedHost() results in no operation. A remote, unauthenticated attacker who submits a forgotten-password request for a known account (requiring only the target's username and email) with a spoofed Host header causes LimeSurvey to email that account a reset link whose hostname is attacker-controlled while embedding the genuine validation_key. When the recipient or an automated inbound mail-security link scanner dereferences the link, the valid reset token is disclosed to the attacker, who replays it against the legitimate host's newPassword endpoint to set a new password and take over the account.

3 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

LimeSurvey fails to validate the HTTP Host header when constructing password-reset links in the account recovery flow. The LSHttpRequest::checkIsAllowedHost() function is responsible for constraining the Host header against an allowlist (allowedHosts configuration), but this allowlist is undefined by default and absent from the documented configuration. As a result, the validation function performs no actual filtering. An unauthenticated attacker can craft a password-reset request for a target account (supplying only the username and email) while injecting a spoofed Host header pointing to attacker-controlled infrastructure. LimeSurvey then generates a password-reset link containing the legitimate validation_key but with the attacker's hostname embedded. If the recipient or automated mail scanners dereference this malicious link, the validation token is leaked to the attacker. The attacker can then replay this token against the legitimate host's newPassword endpoint to complete an unauthorized password change and account takeover. The vulnerability is classified under CWE-640 (Weak Password Recovery Mechanism Using Hard-Coded Security Questions and Answers), though the core issue is improper use of an untrusted input (the Host header) in a security-critical link.

Business impact

Account takeover of any LimeSurvey user whose username and email are known or guessable. This enables unauthorized access to survey data, administrative functions, and potentially the underlying system depending on the victim's role. For organizations using LimeSurvey for sensitive data collection (customer feedback, internal assessments, research), compromise can lead to data exfiltration and loss of confidentiality. Administrative accounts are particularly high-value targets, since they may have access to configuration, other users' accounts, and hosted data. The attack requires minimal effort—only knowledge of a target's username and email—and succeeds regardless of email security controls because the malicious link appears legitimate to the user and email scanners. No user awareness or social engineering is needed beyond a standard password-reset request.

Affected systems

LimeSurvey instances in any configuration where the allowedHosts allowlist is not explicitly defined in the configuration file (which is the default and documented setup). The vulnerability affects LimeSurvey across all deployment models: on-premise self-hosted, cloud-hosted, and containerized installations. Any instance accessible over the network and offering user account functionality is potentially exploitable. The attack does not require authentication, so external-facing LimeSurvey installations are immediately at risk. Internal LimeSurvey deployments behind authentication gateways or firewalls are less exposed to unauthenticated exploitation but remain vulnerable to account takeover if an attacker can submit a forgotten-password request from within the network or via a compromised internal system.

Exploitability

This vulnerability has a high practical exploitability. No special privileges, authentication credentials, or user interaction with a phishing email is required—the attacker only needs to know or guess a valid username and email address (or iterate common patterns). The attack is purely network-based and does not depend on client software, browser vulnerabilities, or unusual system configurations. The attacker does not need to control DNS or intercept traffic; they simply need to serve a web server on attacker-controlled infrastructure and extract the reset token from logs when the user or email scanner makes a request. The CVSS 3.1 score of 8.8 (HIGH) reflects the high impact (confidentiality, integrity, and availability via account takeover) combined with low attack complexity and no privileges required. Exploitation is straightforward enough that it could be automated and scaled to target many accounts at once. Email security tools that scan links for phishing—intended to protect users—may inadvertently leak the token to the attacker by dereferencing the malicious reset link.

Remediation

Organizations must immediately define an explicit allowedHosts allowlist in the LimeSurvey configuration and ensure it contains only the legitimate hostname(s) or domain(s) through which users access LimeSurvey. This allowlist must be validated and enforced on every password-reset link generation. LimeSurvey should also consider implementing additional protections: validating the Host header against expected values even if allowedHosts is not set, using relative URLs or explicit host references in reset links rather than reconstructing the hostname from untrusted input, and rate-limiting password-reset requests per username to reduce the window of opportunity for token exfiltration. Organizations should also monitor for suspicious password-reset requests (high volume, requests from unusual IP ranges, or requests with mismatched Host headers) and notify users of any account recovery attempts.

Patch guidance

Check the LimeSurvey project's official security advisories and release notes for a patched version addressing CVE-2026-50635. Verify the specific version number and release date against the vendor's advisory before deployment. Apply patches in a controlled manner: test in a staging environment to ensure no disruption to survey operations, configure backups, and plan a maintenance window if necessary. After patching, confirm that the allowedHosts configuration has been reviewed and properly set to include only legitimate hostnames. Restart or redeploy LimeSurvey to activate the patched code. For instances where immediate patching is not possible, implement the configuration-level mitigation by manually defining the allowedHosts allowlist to prevent the Host header from being used without validation.

Detection guidance

Monitor LimeSurvey access and application logs for password-reset requests with suspicious Host header values that do not match your legitimate domain. Look for requests originating from unexpected IP addresses during off-hours or in high volume. Email gateway logs may reveal reset emails sent to external domains or re-routed to attacker infrastructure. Network IDS/IPS rules can flag HTTP requests with mismatched or spoofed Host headers. Monitor for failed password-change attempts on the legitimate host shortly after reset requests, which may indicate an attacker extracting and replaying tokens. If you have access to LimeSurvey's database or logs, search for password-reset audit trails correlating with unusual account lockouts or permission changes. Implement alerting on any password changes for administrative accounts, and consider requiring additional verification (e.g., email confirmation or second factor) before a password change is finalized.

Why prioritize this

This vulnerability merits urgent attention due to its combination of high impact (full account takeover), low attack complexity, and minimal barriers to exploitation. No authentication or user interaction (beyond the normal password-reset flow) is required. Attackers can automate exploitation against many accounts simultaneously. The default LimeSurvey configuration leaves all instances vulnerable unless explicitly hardened. Organizations collecting sensitive data via surveys, managing multi-tenant instances, or hosting administrative accounts should treat this as a critical risk. Even organizations with strong email security posture are at risk because security scanners dereferencing the link may leak the token. A patch should be applied as soon as one is available; interim mitigation via configuration is essential until then.

Risk score, explained

The CVSS 3.1 score of 8.8 (HIGH) reflects: Attack Vector Network (AV:N) – the attack requires no local access; Attack Complexity Low (AC:L) – exploitation does not depend on race conditions, specific configurations, or user actions beyond a normal password reset; Privileges Required None (PR:N) – no authentication is needed to trigger the vulnerability; User Interaction Required (UI:R) – the victim or an email security scanner must click the reset link; and all three impact metrics (Confidentiality, Integrity, Availability) are High because successful exploitation enables complete account takeover, allowing an attacker to read survey data, modify surveys and responses, delete accounts, or perform other privileged actions. The HIGH severity appropriately conveys the serious risk of unauthorized account access and data compromise.

Frequently asked questions

Can this vulnerability be exploited if I don't know a user's email address?

The attacker must know or correctly guess both the username and the email address associated with a LimeSurvey account to submit a valid forgotten-password request. However, in many organizations these are predictable (e.g., [email protected]). If an organization uses sequential or guessable usernames, an attacker can iterate through common patterns and email formats. Organizations should consider whether usernames and email addresses are already public (via directory listings, social media, or company websites).

Does this vulnerability allow unauthenticated access to survey data?

The vulnerability itself allows account takeover, which then grants access to whatever that account could normally access. If a compromised account is an administrative or respondent account, the attacker gains the same permissions as the legitimate user—potentially including access to survey responses, question designs, and participant data. Full data exfiltration is possible if an administrator account is taken over.

If I configure allowedHosts correctly, am I protected?

Yes, configuring allowedHosts to include only legitimate hostnames will prevent the Host header from being injected into reset links. However, ensure that the configuration is syntactically correct and that LimeSurvey's validation function is actually invoked during every password-reset request. Test by attempting a forgotten-password request with a spoofed Host header and verifying that the reset email link contains only your legitimate hostname.

What should I do if I suspect an account has been compromised via this vulnerability?

Force a password reset for all accounts (or high-value accounts like administrators) as an immediate precaution. Audit account login logs for unauthorized access around the time of suspected compromise. Check for changes to account settings, surveys, or permissions. If the compromised account had administrative privileges, review all changes made after the compromise date and consider whether other systems connected to LimeSurvey were affected. Enable multifactor authentication (if available) for all accounts to prevent future takeovers.

This analysis is provided for informational purposes to assist security teams in assessing and remediating CVE-2026-50635. The vulnerability details and CVSS score are based on the published CVE record and vendor advisory. Specific patch version numbers, release dates, and detailed remediation steps should be verified against the official LimeSurvey security advisory before implementation. SEC.co makes no warranty regarding the completeness or accuracy of this analysis and assumes no liability for damages arising from reliance on this information. Always consult official vendor guidance and conduct internal testing before deploying patches or configuration changes in production. Timelines for patch availability, vendor responses, and exploitation in the wild are subject to change. Source: NVD (public-domain), retrieved 2026-07-18. Analysis generated by SEC.co (claude-haiku-4-5).