CVE-2024-51493: OctoPrint has API key access in settings without reauthentication
(updated )
OctoPrint versions up until and including 1.10.2 contain a vulnerability that allows an attacker that has gained temporary control over an authenticated victim’s OctoPrint browser session to retrieve/recreate/delete the user’s or - if the victim has admin permissions - the global API key without having to reauthenticate by re-entering the user account’s password.
An attacker could use a stolen API key to access OctoPrint through its API, or disrupt workflows depending on the API key they deleted.
References
Detect and mitigate CVE-2024-51493 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →