CVE-2024-51493: OctoPrint has API key access in settings without reauthentication

November 5, 2024

OctoPrint versions up until and including 1.10.2 contain a vulnerability that allows an attacker that has gained temporary control over an authenticated victim’s OctoPrint browser session to retrieve/recreate/delete the user’s or - if the victim has admin permissions - the global API key without having to reauthenticate by re-entering the user account’s password.

An attacker could use a stolen API key to access OctoPrint through its API, or disrupt workflows depending on the API key they deleted.

References

github.com/OctoPrint/OctoPrint
github.com/OctoPrint/OctoPrint/commit/9bc80d782d72881b16e20873dcd0b8314324c70c
github.com/OctoPrint/OctoPrint/security/advisories/GHSA-cc6x-8cc7-9953
github.com/advisories/GHSA-cc6x-8cc7-9953
nvd.nist.gov/vuln/detail/CVE-2024-51493

Detect and mitigate CVE-2024-51493 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →