CVE-2026-61718
5.4
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L
Summary
bunkerweb is an Open-source and next-generation Web Application Firewall (WAF). From 1.6.2 until 1.6.12, the BunkerWeb web UI BiscuitMiddleware authorization bypass list included the /cache/ URL prefix, so routes in src/ui/app/routes/cache.py protected only by @login_required, including POST /cache/delete, allowed low-privilege read-only reader accounts to permanently delete job cache files containing blacklist, greylist, DNSBL, CrowdSec, GeoIP, ModSecurity CRS, Let's Encrypt, ACME, and custom configuration data. This issue is fixed in version 1.6.12.
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| bunkerity | bunkerweb | >= 1.6.2, < 1.6.12 | affected |
Weaknesses
- CWE-285: CWE-285: Improper Authorization
- CWE-862: CWE-862: Missing Authorization
References
- https://github.com/bunkerity/bunkerweb/security/advisories/GHSA-q7rm-935c-v39g
- https://github.com/bunkerity/bunkerweb/commit/685ccbbe7d204132a843a7b7fd802d1bdb3f20a9
- https://github.com/bunkerity/bunkerweb/releases/tag/v1.6.12
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.