CVE-2026-39401: CWE-862: Missing Authorization in jhuckaby Cronicle
CVE-2026-39401 is a medium severity vulnerability in jhuckaby Cronicle versions prior to 0. 9. 111. It involves missing authorization checks when jb child processes include an update_event key in their JSON output. This allows a low-privilege user who can create and run events to modify any event property, such as webhook URLs and notification emails. The vulnerability is fixed in version 0. 9. 111.
AI Analysis
Technical Summary
Cronicle is a multi-server task scheduler with a web UI. Before version 0.9.111, the server applies update_event keys from child process JSON output directly to the parent event's stored configuration without verifying authorization. This missing authorization (CWE-862) enables low-privilege users with event creation and execution rights to alter event properties arbitrarily, potentially impacting event behavior and notifications. The issue is resolved in version 0.9.111.
Potential Impact
An attacker with low privileges who can create and run events can modify any event property, including sensitive fields like webhook URLs and notification emails. This could lead to unauthorized changes in event execution or notification handling. There are no known exploits in the wild as of the published date.
Mitigation Recommendations
Upgrade Cronicle to version 0.9.111 or later, where this vulnerability is fixed. Since the vendor advisory or patch links are not explicitly provided, verify the update availability from the official jhuckaby Cronicle sources before applying the upgrade. Patch status is not yet confirmed from vendor advisory content; check official sources for current remediation guidance.
CVE-2026-39401: CWE-862: Missing Authorization in jhuckaby Cronicle
Description
CVE-2026-39401 is a medium severity vulnerability in jhuckaby Cronicle versions prior to 0. 9. 111. It involves missing authorization checks when jb child processes include an update_event key in their JSON output. This allows a low-privilege user who can create and run events to modify any event property, such as webhook URLs and notification emails. The vulnerability is fixed in version 0. 9. 111.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
Cronicle is a multi-server task scheduler with a web UI. Before version 0.9.111, the server applies update_event keys from child process JSON output directly to the parent event's stored configuration without verifying authorization. This missing authorization (CWE-862) enables low-privilege users with event creation and execution rights to alter event properties arbitrarily, potentially impacting event behavior and notifications. The issue is resolved in version 0.9.111.
Potential Impact
An attacker with low privileges who can create and run events can modify any event property, including sensitive fields like webhook URLs and notification emails. This could lead to unauthorized changes in event execution or notification handling. There are no known exploits in the wild as of the published date.
Mitigation Recommendations
Upgrade Cronicle to version 0.9.111 or later, where this vulnerability is fixed. Since the vendor advisory or patch links are not explicitly provided, verify the update availability from the official jhuckaby Cronicle sources before applying the upgrade. Patch status is not yet confirmed from vendor advisory content; check official sources for current remediation guidance.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- GitHub_M
- Date Reserved
- 2026-04-06T22:06:40.516Z
- Cvss Version
- 4.0
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69d5698eaaed68159a5d8dfc
Added to database: 4/7/2026, 8:31:10 PM
Last enriched: 4/7/2026, 8:46:12 PM
Last updated: 4/7/2026, 10:24:51 PM
Views: 5
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.