CVE-2026-46485 in Dashyinfo

Summary

by MITRE • 07/15/2026

Dashy is a self-hostable personal dashboard. Prior to 4.0.8, Dashy deployments using OIDC can allow unauthenticated users or non-admin authenticated users to write changes to the main config.yaml through the config-saving functionality despite configured permissions, allowing unauthorized modification of dashboard configuration and potential service disruption. This issue is fixed in version 4.0.8.

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 07/15/2026

This vulnerability affects Dashy versions prior to 408 where the OpenID Connect authentication system fails to properly enforce access controls during configuration modification operations. The flaw exists within the application's permission model that should restrict write access to the main configyaml file to authenticated administrators only. However, the security boundary is compromised allowing any unauthenticated user or non-admin authenticated user to submit requests that modify the core dashboard configuration through the config-saving functionality.

The technical implementation of this vulnerability stems from inadequate input validation and authorization checks within the configuration management component. When users attempt to save configuration changes through the web interface, the application does not properly verify whether the requesting user possesses sufficient privileges to modify system-level settings. This represents a classic authorization bypass issue that falls under CWE-285 which addresses improper authorization in software systems. The flaw allows for privilege escalation where users can manipulate dashboard behavior without proper authentication credentials.

The operational impact of this vulnerability extends beyond simple configuration modification as it creates potential for service disruption and unauthorized access to dashboard functionality. An attacker could modify critical settings such as user permissions, external service integrations, or dashboard layout configurations that could render the dashboard unusable or redirect traffic to malicious endpoints. The vulnerability essentially undermines the entire security posture of Dashy deployments that rely on OIDC for authentication, making it possible for any user to gain administrative control over the dashboard configuration.

This issue aligns with several ATT&CK techniques including T1078 Valid Accounts for maintaining persistence and T1484 Defense Evasion for bypassing access controls. The vulnerability creates opportunities for attackers to establish persistent access patterns by modifying configuration files that control dashboard behavior and user access permissions. Organizations using Dashy with OIDC authentication should immediately implement version 408 or later where the fix addresses the improper authorization checks in the configuration saving functionality.

The mitigation strategy requires immediate deployment of Dashy version 408 which implements proper access control enforcement for configuration modifications. Administrators should also review existing configurations to ensure that only authorized users possess administrative privileges and consider implementing additional monitoring for unauthorized configuration changes. Security teams should implement network-level controls to restrict access to sensitive endpoints and establish audit trails for all configuration modification activities to detect potential exploitation attempts.

Responsible

GitHub M

Reservation

05/14/2026

Disclosure

07/15/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!