{"id":"CVE-2024-12776","summary":"Authentication Bypass in langgenius/dify","details":"In langgenius/dify v0.10.1, the `/forgot-password/resets` endpoint does not verify the password reset code, allowing an attacker to reset the password of any user, including administrators. This vulnerability can lead to a complete compromise of the application.","modified":"2026-07-15T01:49:06.029311377Z","published":"2025-03-20T10:10:42.717Z","database_specific":{"osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/12xxx/CVE-2024-12776.json","cna_assigner":"@huntr_ai","cwe_ids":["CWE-305"]},"references":[{"type":"WEB","url":"https://huntr.com/bounties/00a8b403-7da5-431e-afa3-40339cf734bf"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2024/12xxx/CVE-2024-12776.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2024-12776"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/langgenius/dify","events":[{"introduced":"400392230b47fff5d011b55afd8b0f8b8083ade0"},{"last_affected":"400392230b47fff5d011b55afd8b0f8b8083ade0"}],"database_specific":{"cpe":"cpe:2.3:a:langgenius:dify:0.10.1:*:*:*:*:node.js:*:*","extracted_events":[{"introduced":"0.10.1"},{"last_affected":"0.10.1"}],"source":"CPE_STRING"}}],"versions":["0.10.1"],"database_specific":{"source":"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2024-12776.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H"}]}