CVE-2025-56449 is a security vulnerability affecting Obsidian Scheduler's REST API versions 5.0.0 through 6.3.0. The core issue lies in the REST API's failure to enforce Multi-Factor Authentication (MFA) restrictions consistently. Specifically, when an account is locked out due to non-enrollment in MFA—such as after the 7-day enforcement window—the REST API still permits authentication using Basic Authentication. This inconsistency allows attackers to bypass the intended MFA lockout mechanism. The vulnerability is particularly critical because the default administrative account, although locked out via the web interface, remains accessible through the REST API using Basic Authentication. This access enables attackers to perform administrative actions, including creating new privileged users, thereby undermining the security posture of the affected systems. The vulnerability is classified under CWE-290 (Authentication Bypass by Spoofing) and has a CVSS v3.1 base score of 8.2, indicating high severity. The attack vector is network-based with low attack complexity, requiring no privileges or user interaction, and impacts confidentiality and integrity. No patches or exploit code are currently publicly available, but the risk remains significant due to the potential for privilege escalation and unauthorized administrative control. The vulnerability highlights a critical design flaw in the enforcement of MFA policies across different access methods within the Obsidian Scheduler platform.

For European organizations, this vulnerability poses a significant risk to the confidentiality and integrity of scheduling and administrative systems managed by Obsidian Scheduler. Unauthorized access to administrative functions can lead to the creation of privileged accounts, enabling attackers to manipulate schedules, disrupt operations, or pivot to other internal systems. Organizations in sectors such as finance, healthcare, manufacturing, and critical infrastructure that rely on automated scheduling tools are particularly vulnerable. The ability to bypass MFA protections undermines compliance with regulatory requirements like GDPR, which mandate strong access controls and data protection measures. Additionally, the persistence of Basic Authentication as an attack vector increases the risk of credential theft and replay attacks. The lack of user interaction and low complexity of exploitation mean that attackers can remotely compromise systems without alerting users, increasing the likelihood of stealthy intrusions. This could result in operational disruptions, data breaches, and reputational damage for affected European entities.

1. Immediately disable Basic Authentication on the Obsidian Scheduler REST API or restrict its use to trusted networks and IP addresses. 2. Enforce consistent MFA policies across all access methods, including web interfaces and APIs, ensuring that lockout states apply uniformly. 3. Audit and rotate credentials for all administrative accounts, especially default accounts, to prevent unauthorized access. 4. Implement network-level controls such as IP whitelisting and VPN requirements for accessing the REST API. 5. Monitor API access logs for unusual authentication attempts or creation of new privileged users. 6. Apply compensating controls such as Web Application Firewalls (WAFs) to detect and block suspicious API calls. 7. Engage with Obsidian Scheduler vendors for patches or updates addressing this vulnerability and plan timely deployment. 8. Conduct regular security assessments and penetration testing focusing on API authentication mechanisms. 9. Educate administrators and users about the risks of bypassing MFA and the importance of secure authentication practices. 10. Integrate anomaly detection systems to alert on deviations in administrative account behaviors.