A CWE-306 "Missing Authentication for Critical Function" in maxprofile/accounts/routes.lua in Q-Free MaxTime less than or equal to version 2.11.0 allows an unauthenticated remote attacker to reset arbitrary user passwords via crafted HTTP requests.
The maxprofile/accounts/routes.lua file lacks an authentication mechanism for a critical function (CWE-306), meaning the endpoint responsible for password reset is accessible without any authorization. An attacker can send appropriately crafted HTTP requests to the vulnerable endpoint and force a password change for a selected user account. This grants full control over any account in the system.
An attacker can take control of any user account in the system, including administrative accounts, leading to complete compromise of data confidentiality, integrity, and availability as well as system functionality.
Patches available from the vendor should be applied in accordance with references. Detailed information is available in the Nozomi Networks advisory: https://www.nozominetworks.com/labs/vulnerability-advisories-cve-2025-26341. Until the update is deployed, it is recommended to restrict network access to the Q-Free MaxTime system management interface exclusively to trusted IP addresses.
Q-Free MaxTime version 2.11.0 and earlier.
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HQ Free Maxtime
APPQ-Free≤ 2.11.0
Related vulnerabilities
Q-Free MaxTime: brak uwierzytelnienia umożliwia włączenie trybu gościa bez hasła
Q-Free MaxTime: tworzenie kont bez uwierzytelnienia (w tym kont admina)
Brak uwierzytelnienia dla krytycznej funkcji w Q-Free MaxTime
Q-Free MaxTime: zakodowane hasło root umożliwia zdalny RCE przez SSH
Q-Free MaxTime: brak uwierzytelnienia umożliwia zmianę uprawnień grup użytkowników