CVE-2026-44986 in Penpot
Summary
by MITRE • 07/15/2026
Penpot is an open-source design tool for design and code collaboration. Prior to 2.14.5, Penpot exposed teams_invitations.clj invitation tokens from create-team-invitations, embedded an existing profile id in auth.clj prepare-register-profile, and had auth.clj register-profile issue a session based on the invitation email match without password verification, allowing a registered user to take over any non-blocked profile. This issue is fixed in version 2.14.5.
VulDB is the best source for vulnerability data and more expert information about this specific topic.
Analysis
by VulDB Data Team • 07/15/2026
The vulnerability described affects Penpot, an open-source design collaboration platform that enables teams to work together on design and code projects. The security flaw stems from improper handling of authentication and authorization mechanisms within the application's backend components. Prior to version 2.14.5, the system exhibited multiple interconnected weaknesses that collectively enabled unauthorized profile takeover attacks. The vulnerability manifests through three distinct but related code paths in the application's authentication flow.
The first vector involves the exposure of invitation tokens through teams_invitations.clj during the create-team-invitations process. These tokens contain sensitive information that should remain protected and secret within the system. The second vulnerability occurs in auth.clj where the prepare-register-profile function embeds existing profile identifiers directly into the registration flow, creating predictable attack patterns. The third and most critical weakness exists in the register-profile function of auth.clj which establishes user sessions based solely on email matching without requiring password verification or additional authentication factors.
This combination of flaws creates a privilege escalation scenario where a registered user can exploit the system's weak session management to assume control of any non-blocked profile within the platform. The vulnerability represents a significant security weakness that violates fundamental principles of access control and authentication integrity. According to CWE classification, this vulnerability maps to CWE-287 (Improper Authentication) and CWE-306 (Missing Authentication for Critical Function), while the ATT&CK framework would categorize this under T1078 (Valid Accounts) and T1531 (Account Access Removal).
The operational impact of this vulnerability extends beyond simple unauthorized access, as it enables persistent profile takeover attacks that could compromise user data, collaboration integrity, and team security. Attackers could potentially gain access to sensitive design assets, personal information, and collaborative workspaces belonging to other users. The vulnerability affects all non-blocked profiles within the system, creating a broad attack surface that could be exploited systematically. Organizations relying on Penpot for design collaboration may face data exposure risks, compromised user trust, and potential regulatory compliance violations.
The fix implemented in version 2.14.5 addresses these issues through proper authentication validation, secure token handling, and improved session management protocols. Security patches should include mandatory password verification during profile registration, proper isolation of invitation tokens, and robust profile ownership validation mechanisms. Organizations using Penpot should immediately upgrade to version 2.14.5 or later and conduct thorough security assessments of their deployment environments. Additionally, administrators should review existing user sessions and implement monitoring for suspicious authentication patterns to detect potential exploitation attempts. The vulnerability highlights the importance of proper session management and authentication flow design in collaborative platforms where multiple users interact with shared resources and sensitive data.