CVE-2025-56449
📋 TL;DR
This vulnerability allows attackers to bypass MFA enforcement in Obsidian Scheduler by using Basic Authentication through the REST API even when accounts are locked out for not enrolling in MFA. This enables unauthorized administrative actions including creating new privileged users. Organizations using Obsidian Scheduler versions 5.0.0 through 6.3.0 with MFA enforcement enabled are affected.
💻 Affected Systems
- Obsidian Scheduler
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of the Obsidian Scheduler instance allowing attackers to create new admin accounts, modify job configurations, access sensitive data, and potentially pivot to other systems.
Likely Case
Unauthorized administrative access leading to privilege escalation, job manipulation, and potential data exposure.
If Mitigated
Limited impact if proper network segmentation and access controls prevent unauthorized REST API access.
🎯 Exploit Status
Exploitation requires knowledge of locked admin credentials and REST API endpoint access. Basic Authentication is a standard protocol.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 6.3.1
Vendor Advisory: https://wiki.obsidianscheduler.com/docs/Release_Notes#Obsidian_6.3.1
Restart Required: Yes
Instructions:
1. Download Obsidian Scheduler 6.3.1 from official sources. 2. Backup current installation and configuration. 3. Stop the Obsidian Scheduler service. 4. Replace with version 6.3.1. 5. Restart the service. 6. Verify functionality.
🔧 Temporary Workarounds
Disable REST API Basic Authentication
allDisable Basic Authentication for the REST API to prevent exploitation through this vector.
Modify REST API configuration to disable Basic Authentication - consult Obsidian documentation for specific configuration steps.
Network Access Control
allRestrict network access to the REST API endpoints using firewall rules.
Configure firewall to allow REST API access only from trusted IP addresses/networks.
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Obsidian Scheduler from untrusted networks
- Monitor REST API authentication logs for suspicious Basic Authentication attempts
🔍 How to Verify
Check if Vulnerable:
Check Obsidian Scheduler version. If between 5.0.0 and 6.3.0 inclusive, and MFA enforcement is enabled, the system is vulnerable.Check Version:
Check Obsidian Scheduler web interface or configuration files for version information.Verify Fix Applied:
Verify version is 6.3.1 or later. Test that locked accounts cannot authenticate via REST API Basic Authentication.📡 Detection & Monitoring
Log Indicators:
- Failed web interface login attempts followed by successful REST API Basic Authentication
- REST API authentication from locked accounts
- Unusual user creation or privilege modification events
Network Indicators:
- Basic Authentication requests to REST API endpoints from unusual sources
- Authentication bypass patterns in API traffic
SIEM Query:
source="obsidian" AND (event_type="api_auth" AND auth_method="basic" AND user_status="locked") OR (event_type="user_create" AND source_ip NOT IN trusted_ips)