Login Sign Up

CVE-2021-41126

7.2 HIGH
Authentication Bypass

📋 TL;DR

This vulnerability allows deleted administrator accounts to still authenticate and access the October CMS backend. It affects October CMS v2.0 installations where administrator accounts have been deleted. The issue stems from improper authentication validation.

💻 Affected Systems

Products:
  • October CMS
Versions: v2.0
Operating Systems: All
Default Config Vulnerable: ⚠️ Yes
Notes: Only affects installations where administrator accounts have been deleted. Fresh installations without deleted accounts are not vulnerable.

📦 What is this software?

October by Octobercms

View all CVEs affecting October →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Deleted administrators regain full backend access, potentially compromising the entire CMS, modifying content, installing malicious plugins, or accessing sensitive data.

🟠

Likely Case

Former administrators who were deleted could sign in and perform unauthorized actions within the CMS backend, leading to data manipulation or privilege escalation.

🟢

If Mitigated

With proper access logging and monitoring, unauthorized logins could be detected and blocked, limiting damage to logged activities.

🌐 Internet-Facing: HIGH
🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires knowledge of deleted administrator credentials. No public exploit code is known, but the vulnerability is straightforward to leverage.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: v2.1.12

Vendor Advisory: https://github.com/octobercms/october/security/advisories/GHSA-6gjf-7w99-j7x7

Restart Required: No

Instructions:

1. Backup your October CMS installation and database. 2. Update the october/october package to version 2.1.12 via Composer: composer require october/october:2.1.12. 3. Run any necessary migrations: php artisan october:up. 4. Verify the update by checking the version in the backend.

🔧 Temporary Workarounds

No workarounds available

all

The vendor states there are no workarounds for this issue. Updating is the only solution.

🧯 If You Can't Patch

  • Monitor authentication logs for any login attempts from deleted administrator accounts and block them manually.
  • Implement additional authentication controls like IP whitelisting or multi-factor authentication for the backend.

🔍 How to Verify

Check if Vulnerable:

Check if you are running October CMS v2.0 and have deleted any administrator accounts. Attempt to sign in with credentials of a deleted administrator account.

Check Version:

php artisan october:version

Verify Fix Applied:

After updating to v2.1.12, attempt to sign in with credentials of a deleted administrator account; it should fail. Verify the version in the backend matches 2.1.12.

📡 Detection & Monitoring

Log Indicators:

  • Successful login events from previously deleted administrator accounts in October CMS logs or authentication logs.

Network Indicators:

  • Unusual backend access patterns from IP addresses associated with former administrators.

SIEM Query:

source="october.log" AND "successful login" AND user IN [list_of_deleted_admins]

📊 Metadata

CVE ID: CVE-2021-41126
CVSS v3 Score: 7.2 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-287
Published: October 6, 2021
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2021-41126, you might also want to check these:

CVE-2024-27767 10.0

CVE-2024-27767 is an authentication bypass vulnerability that allows attackers to gain unauthorized ...

Same vulnerability type (CWE-287)
CVE-2026-24898 10.0

OpenEMR versions before 8.0.0 contain an unauthenticated token disclosure vulnerability in the MedEx...

Same vulnerability type (CWE-287)
CVE-2026-20127 10.0

This critical authentication bypass vulnerability in Cisco Catalyst SD-WAN Controller and Manager al...

Same vulnerability type (CWE-287)