Cronicle is a multi-server task scheduler with a web UI. Before version 0.9.111, the server applies update_event keys from jb child processes' JSON output directly to the parent event's stored configuration without authorization checks. This missing authorization (CWE-862) enables low-privilege users with event creation and execution rights to alter any event property, including sensitive fields like webhook URLs and notification emails. The issue is resolved in version 0.9.111.

An attacker with low privileges who can create and run events can modify event configurations arbitrarily. This could lead to unauthorized changes in webhook URLs and notification emails, potentially redirecting notifications or triggering unintended actions. The CVSS 4.0 base score is 5.3 (medium severity), reflecting network attack vector, low privileges required, and no user interaction needed.

Upgrade Cronicle to version 0.9.111 or later, where this vulnerability is fixed. No other official remediation or temporary fixes are documented. Patch status is not explicitly stated but the fix is included in the specified version update.