Platform
other
Component
maxtime
Fixed in
2.11.1
CVE-2025-26341 describes a critical vulnerability in Q-Free MaxTime, specifically a missing authentication check for password reset functionality. This allows an unauthenticated remote attacker to manipulate HTTP requests and arbitrarily reset user passwords, potentially granting them unauthorized access to accounts. The vulnerability affects versions 0 through 2.11.0, and a patch is available in version 2.11.1.
The impact of CVE-2025-26341 is severe due to the ease of exploitation and the potential for widespread account compromise. An attacker could leverage this vulnerability to gain full control over user accounts within the MaxTime system. This could lead to unauthorized access to sensitive data, modification of system configurations, and potentially even complete system takeover. The lack of authentication means no prior knowledge of user credentials is required, making it a highly accessible attack vector. Successful exploitation could result in significant operational disruption and reputational damage.
CVE-2025-26341 was publicly disclosed on February 12, 2025. There is currently no indication of active exploitation in the wild, nor are there any publicly available proof-of-concept exploits. The vulnerability's simplicity and critical severity suggest it may become a target for opportunistic attackers. It is not currently listed on the CISA KEV catalog.
Exploit Status
EPSS
0.99% (77% percentile)
CISA SSVC
CVSS Vector
The primary mitigation for CVE-2025-26341 is to immediately upgrade Q-Free MaxTime to version 2.11.1 or later. If upgrading is not immediately feasible, consider implementing temporary workarounds such as restricting external access to the password reset endpoint or implementing stricter rate limiting to prevent brute-force attempts. Monitor access logs for suspicious activity, particularly requests to the password reset endpoint. After upgrading, confirm the vulnerability is resolved by attempting a password reset request from an unauthenticated source – it should be rejected.
Update Q-Free MaxTime to a version later than 2.11.0. This will address the missing authentication for the critical password reset function. Refer to the vendor's security advisory for more details on the update.
Vulnerability analysis and critical alerts directly to your inbox.
CVE-2025-26341 is a critical vulnerability in Q-Free MaxTime versions 0–2.11.0 that allows unauthenticated attackers to reset user passwords via HTTP requests.
If you are using Q-Free MaxTime versions 0 through 2.11.0, you are potentially affected by this vulnerability.
Upgrade to Q-Free MaxTime version 2.11.1 or later to resolve the vulnerability. Consider temporary workarounds if immediate upgrade is not possible.
There is currently no evidence of active exploitation, but the vulnerability's severity suggests it may become a target.
Refer to the Q-Free security advisory for detailed information and updates regarding CVE-2025-26341.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.