CVE-2026-46485

Summary

Dashy is a self-hostable personal dashboard. Prior to 4.0.8, Dashy deployments using OIDC can allow unauthenticated users or non-admin authenticated users to write changes to the main config.yaml through the config-saving functionality despite configured permissions, allowing unauthorized modification of dashboard configuration and potential service disruption. This issue is fixed in version 4.0.8.

Affected Software

VendorProductVersion RangeStatus
lissy93dashy< 4.0.8affected

Weaknesses

  • CWE-15: CWE-15: External Control of System or Configuration Setting
  • CWE-284: CWE-284: Improper Access Control
  • CWE-287: CWE-287: Improper Authentication
  • CWE-602: CWE-602: Client-Side Enforcement of Server-Side Security

References