CVE-2024-29026 - Vulnerability Details - OpenCVE

Owncast is an open source, self-hosted, decentralized, single user live video streaming and chat server. In versions 0.1.2 and prior, a lenient CORS policy allows attackers to make a cross origin request, reading privileged information. This can be used to leak the admin password. Commit 9215d9ba0f29d62201d3feea9e77dcd274581624 fixes this issue.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0009.

Key SSVC decision points have not yet been added.

Vendors	Products
Owncast Project	Owncast

Configuration 1 [-]

cpe:2.3:a:owncast_project:owncast:*:*:*:*:*:*:*:*

No data.

No data.

References

Link	Providers
https://github.com/owncast/owncast/blob/v0.1.2/router/middleware/auth.go#L32
https://github.com/owncast/owncast/commit/9215d9ba0f29d62201d3feea9e77dcd274581624
https://securitylab.github.com/advisories/GHSL-2023-261_Owncast/

History

Tue, 14 Oct 2025 17:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Owncast Project Owncast Project owncast
CPEs		cpe:2.3:a:owncast_project:owncast::::::::
Vendors & Products		Owncast Project Owncast Project owncast

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2024-03-20T21:55:22.872Z

Updated: 2024-08-02T01:03:51.653Z

Reserved: 2024-03-14T16:59:47.611Z

Link: CVE-2024-29026

Vulnrichment

Updated: 2024-08-02T01:03:51.653Z

NVD

Status : Analyzed

Published: 2024-03-20T22:15:08.557

Modified: 2025-10-14T17:01:44.903

Link: CVE-2024-29026

Redhat

No data.

OpenCVE Enrichment

No data.

{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2024-29026", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2024-03-14T16:59:47.611Z", "datePublished": "2024-03-20T21:55:22.872Z", "dateUpdated": "2024-08-02T01:03:51.653Z"}, "containers": {"cna": {"title": "Owncast cross origin request", "problemTypes": [{"descriptions": [{"cweId": "CWE-352", "lang": "en", "description": "CWE-352: Cross-Site Request Forgery (CSRF)", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-697", "lang": "en", "description": "CWE-697: Incorrect Comparison", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N", "version": "3.1"}}], "references": [{"name": "https://securitylab.github.com/advisories/GHSL-2023-261_Owncast/", "tags": ["x_refsource_CONFIRM"], "url": "https://securitylab.github.com/advisories/GHSL-2023-261_Owncast/"}, {"name": "https://github.com/owncast/owncast/commit/9215d9ba0f29d62201d3feea9e77dcd274581624", "tags": ["x_refsource_MISC"], "url": "https://github.com/owncast/owncast/commit/9215d9ba0f29d62201d3feea9e77dcd274581624"}, {"name": "https://github.com/owncast/owncast/blob/v0.1.2/router/middleware/auth.go#L32", "tags": ["x_refsource_MISC"], "url": "https://github.com/owncast/owncast/blob/v0.1.2/router/middleware/auth.go#L32"}], "affected": [{"vendor": "owncast", "product": "owncast", "versions": [{"version": "<= 0.1.2", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-03-20T21:55:22.872Z"}, "descriptions": [{"lang": "en", "value": "Owncast is an open source, self-hosted, decentralized, single user live video streaming and chat server. In versions 0.1.2 and prior, a lenient CORS policy allows attackers to make a cross origin request, reading privileged information. This can be used to leak the admin password. Commit 9215d9ba0f29d62201d3feea9e77dcd274581624 fixes this issue."}], "source": {"advisory": "GHSA-v99w-r56h-g23v", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-29026", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-03-21T15:35:48.673391Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-06-04T17:56:51.217Z"}}, {"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T01:03:51.653Z"}, "title": "CVE Program Container", "references": [{"name": "https://securitylab.github.com/advisories/GHSL-2023-261_Owncast/", "tags": ["x_refsource_CONFIRM", "x_transferred"], "url": "https://securitylab.github.com/advisories/GHSL-2023-261_Owncast/"}, {"name": "https://github.com/owncast/owncast/commit/9215d9ba0f29d62201d3feea9e77dcd274581624", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/owncast/owncast/commit/9215d9ba0f29d62201d3feea9e77dcd274581624"}, {"name": "https://github.com/owncast/owncast/blob/v0.1.2/router/middleware/auth.go#L32", "tags": ["x_refsource_MISC", "x_transferred"], "url": "https://github.com/owncast/owncast/blob/v0.1.2/router/middleware/auth.go#L32"}]}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "https://securitylab.github.com/advisories/GHSL-2023-261_Owncast/", "name": "https://securitylab.github.com/advisories/GHSL-2023-261_Owncast/", "tags": ["x_refsource_CONFIRM", "x_transferred"]}, {"url": "https://github.com/owncast/owncast/commit/9215d9ba0f29d62201d3feea9e77dcd274581624", "name": "https://github.com/owncast/owncast/commit/9215d9ba0f29d62201d3feea9e77dcd274581624", "tags": ["x_refsource_MISC", "x_transferred"]}, {"url": "https://github.com/owncast/owncast/blob/v0.1.2/router/middleware/auth.go#L32", "name": "https://github.com/owncast/owncast/blob/v0.1.2/router/middleware/auth.go#L32", "tags": ["x_refsource_MISC", "x_transferred"]}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T01:03:51.653Z"}}, {"metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2024-29026", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2024-03-21T15:35:48.673391Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2024-05-23T19:01:19.120Z"}, "title": "CISA ADP Vulnrichment"}], "cna": {"title": "Owncast cross origin request", "source": {"advisory": "GHSA-v99w-r56h-g23v", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 8.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "LOW"}}], "affected": [{"vendor": "owncast", "product": "owncast", "versions": [{"status": "affected", "version": "<= 0.1.2"}]}], "references": [{"url": "https://securitylab.github.com/advisories/GHSL-2023-261_Owncast/", "name": "https://securitylab.github.com/advisories/GHSL-2023-261_Owncast/", "tags": ["x_refsource_CONFIRM"]}, {"url": "https://github.com/owncast/owncast/commit/9215d9ba0f29d62201d3feea9e77dcd274581624", "name": "https://github.com/owncast/owncast/commit/9215d9ba0f29d62201d3feea9e77dcd274581624", "tags": ["x_refsource_MISC"]}, {"url": "https://github.com/owncast/owncast/blob/v0.1.2/router/middleware/auth.go#L32", "name": "https://github.com/owncast/owncast/blob/v0.1.2/router/middleware/auth.go#L32", "tags": ["x_refsource_MISC"]}], "descriptions": [{"lang": "en", "value": "Owncast is an open source, self-hosted, decentralized, single user live video streaming and chat server. In versions 0.1.2 and prior, a lenient CORS policy allows attackers to make a cross origin request, reading privileged information. This can be used to leak the admin password. Commit 9215d9ba0f29d62201d3feea9e77dcd274581624 fixes this issue."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-352", "description": "CWE-352: Cross-Site Request Forgery (CSRF)"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-697", "description": "CWE-697: Incorrect Comparison"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2024-03-20T21:55:22.872Z"}}}, "cveMetadata": {"cveId": "CVE-2024-29026", "state": "PUBLISHED", "dateUpdated": "2024-08-02T01:03:51.653Z", "dateReserved": "2024-03-14T16:59:47.611Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2024-03-20T21:55:22.872Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.1"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:owncast_project:owncast:*:*:*:*:*:*:*:*", "matchCriteriaId": "B718EA49-0FCC-42AD-9800-B67DC508E8D4", "versionEndIncluding": "0.1.2", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Owncast is an open source, self-hosted, decentralized, single user live video streaming and chat server. In versions 0.1.2 and prior, a lenient CORS policy allows attackers to make a cross origin request, reading privileged information. This can be used to leak the admin password. Commit 9215d9ba0f29d62201d3feea9e77dcd274581624 fixes this issue."}, {"lang": "es", "value": "Owncast es un servidor de chat y transmisi\u00f3n de video en vivo de c\u00f3digo abierto, autohospedado, descentralizado y de un solo usuario. En las versiones 0.1.2 y anteriores, una pol\u00edtica CORS indulgente permite a los atacantes realizar una solicitud de origen cruzado, leyendo informaci\u00f3n privilegiada. Esto se puede utilizar para filtrar la contrase\u00f1a de administrador. El commit 9215d9ba0f29d62201d3feea9e77dcd274581624 soluciona este problema."}], "id": "CVE-2024-29026", "lastModified": "2025-10-14T17:01:44.903", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 8.2, "baseSeverity": "HIGH", "confidentialityImpact": "LOW", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 4.2, "source": "security-advisories@github.com", "type": "Secondary"}, {"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 9.1, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.2, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2024-03-20T22:15:08.557", "references": [{"source": "security-advisories@github.com", "tags": ["Product"], "url": "https://github.com/owncast/owncast/blob/v0.1.2/router/middleware/auth.go#L32"}, {"source": "security-advisories@github.com", "tags": ["Patch"], "url": "https://github.com/owncast/owncast/commit/9215d9ba0f29d62201d3feea9e77dcd274581624"}, {"source": "security-advisories@github.com", "tags": ["Third Party Advisory", "Exploit"], "url": "https://securitylab.github.com/advisories/GHSL-2023-261_Owncast/"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Product"], "url": "https://github.com/owncast/owncast/blob/v0.1.2/router/middleware/auth.go#L32"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Patch"], "url": "https://github.com/owncast/owncast/commit/9215d9ba0f29d62201d3feea9e77dcd274581624"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "tags": ["Third Party Advisory", "Exploit"], "url": "https://securitylab.github.com/advisories/GHSL-2023-261_Owncast/"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-352"}, {"lang": "en", "value": "CWE-697"}], "source": "security-advisories@github.com", "type": "Secondary"}]}