CVE-2025-56449 is a security vulnerability affecting Obsidian Scheduler's REST API versions 5.0.0 through 6.3.0. The vulnerability arises from improper enforcement of Multi-Factor Authentication (MFA) restrictions on the REST API. Specifically, when an account is locked out due to failure to enroll in MFA within a mandated 7-day enforcement window, the REST API still permits authentication using Basic Authentication. This flaw was notably observed with the default administrative account, which, although locked out via the web interface, remained accessible through the REST API. Consequently, an attacker could exploit this discrepancy to authenticate as the locked-out admin user and perform privileged administrative actions, including the creation of new privileged users. This effectively bypasses the intended MFA enforcement mechanism, undermining the security posture of organizations relying on MFA to protect administrative access. The vulnerability does not require user interaction beyond the attacker having knowledge of valid credentials, and it allows for privilege escalation and persistence within the affected environment. No CVSS score has been assigned yet, and no public exploits are currently known in the wild. However, the impact of this vulnerability is significant due to the potential for unauthorized administrative control.

For European organizations using Obsidian Scheduler versions 5.0.0 through 6.3.0, this vulnerability poses a serious risk to the confidentiality, integrity, and availability of their scheduling and administrative systems. The ability to bypass MFA and gain administrative access via the REST API could lead to unauthorized creation of privileged accounts, data manipulation, disruption of scheduling operations, and potential lateral movement within the network. Given the critical role scheduling systems often play in operational workflows, exploitation could disrupt business continuity and expose sensitive organizational data. Furthermore, the bypass of MFA—a key security control widely mandated by European cybersecurity regulations such as NIS2 and GDPR—could result in compliance violations and associated legal or financial penalties. The lack of public exploits currently limits immediate widespread impact, but the vulnerability's nature makes it a high-value target for attackers seeking persistent administrative access.

Organizations should immediately audit their use of Obsidian Scheduler REST API and verify if they are running affected versions (5.0.0 through 6.3.0). Until a patch is available, it is critical to implement compensating controls such as disabling Basic Authentication on the REST API endpoints or restricting REST API access to trusted IP ranges or VPNs. Enforce strict monitoring and logging of REST API authentication attempts, especially for administrative accounts, to detect anomalous access patterns. Consider rotating credentials for default and administrative accounts and removing or disabling default accounts if possible. Additionally, implement network segmentation to limit the REST API exposure and apply Web Application Firewalls (WAFs) with rules to detect and block suspicious API requests. Organizations should engage with Obsidian Scheduler vendors for timely patches and updates and plan for rapid deployment once available. Finally, review and strengthen MFA enforcement mechanisms to ensure consistency across all access vectors, including APIs.