CVE-2026-63100 PUBLISHED

Maybe 0.6.0 Missing Authorization via HostingsController show/update

Assigner: VulnCheck
Reserved: 15.07.2026 Published: 17.07.2026 Updated: 17.07.2026

Maybe through 0.6.0 contains a missing authorization vulnerability that allows authenticated low-privilege member-role users to access and modify global hosting settings by exploiting unprotected show and update actions in the Settings::HostingsController, where the before_action ensure_admin filter is applied only to the clear_cache action. Attackers can read the operator's Synth API key rendered in plaintext via a form field value attribute, overwrite it with an attacker-controlled value, toggle public registration settings, and disable email confirmation requirements to disrupt the entire instance.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
CVSS Score: 7.1

Product Status

Vendor maybe-finance
Product maybe
Versions Default: affected
  • affected from 0 to 0.6.0 (incl.)

Credits

  • George Chen finder

References

Problem Types

  • Missing Authorization CWE