Platform
nodejs
Component
homarr
Fixed in
1.57.1
CVE-2026-32602 describes a Race Condition vulnerability found in Homarr, an open-source dashboard. This flaw affects versions 0.0.0 through 1.56.9, allowing attackers to create multiple user accounts using a single-use invite token due to a lack of transactional integrity in the registration process. The vulnerability stems from sequential database operations that are not atomic, allowing concurrent requests to bypass validation. A patch is available in version 1.57.0.
CVE-2026-32602 affects Homarr, an open-source server dashboard, specifically its user registration endpoint (/api/trpc/user.register). The vulnerability lies in a race condition present in the registration flow prior to version 1.57.0. The registration process involves three sequential database operations (CHECK, CREATE, and DELETE) that are executed without being protected by a transaction. This allows multiple concurrent requests to pass the validation phase before the deletion of the invite token is completed, enabling the creation of multiple user accounts using a single invite token. The severity of this vulnerability depends on the usage context of Homarr and the sensitivity of the user data managed. An attacker could abuse this vulnerability to create fake accounts, potentially for malicious purposes such as spam, denial-of-service attacks, or even to access sensitive information if the created accounts gain elevated privileges.
Exploiting CVE-2026-32602 requires access to Homarr's user registration endpoint. An attacker could automate the process of sending registration requests using a single invite token. The race condition manifests when multiple requests arrive at the server almost simultaneously. The server verifies the token, creates the account, and before the token deletion completes, another request verifies the same token and creates another account. The difficulty of exploitation depends on the server load and network latency. A heavily loaded server and a slow network increase the likelihood of the race condition occurring. Successful exploitation requires a basic understanding of Homarr's architecture and the ability to send concurrent HTTP requests.
Exploit Status
EPSS
0.03% (8% percentile)
CISA SSVC
CVSS Vector
The solution to CVE-2026-32602 is to update Homarr to version 1.57.0 or higher. This version corrects the race condition by implementing an atomic transaction that ensures the verification, creation, and deletion operations are executed as an indivisible unit. This prevents concurrent requests from bypassing the invite token validation. In addition to updating, it is recommended to review Homarr's security policies, including user management and input validation. It is crucial to apply security patches promptly to mitigate risks. If an immediate update is not possible, temporary measures can be implemented such as limiting the frequency of registration requests or implementing an additional verification system to detect suspicious activity.
Actualice a la versión 1.57.0 o superior para mitigar la vulnerabilidad de condición de carrera en el registro de usuarios. Esta actualización corrige el problema al asegurar que las operaciones de base de datos CHECK, CREATE y DELETE se realicen de forma atómica, evitando que múltiples cuentas se registren con un solo token de invitación.
Vulnerability analysis and critical alerts directly to your inbox.
A race condition occurs when the outcome of a program depends on the order in which multiple threads or processes execute.
An atomic transaction is a sequence of operations that are executed as an indivisible unit. If any operation fails, the entire transaction is rolled back.
Implement temporary measures such as limiting the frequency of registration requests or adding an additional verification.
Review your user accounts for unauthorized accounts created with a single invite token.
Updating to version 1.57.0 mitigates this specific vulnerability. However, it is important to keep Homarr updated with the latest security patches to protect against other potential vulnerabilities.
Upload your dependency file and we'll tell you instantly if this and other CVEs hit you.