Dashy is a self-hostable personal dashboard. Prior to 4.0.8, Dashy deployments using OIDC can allow unauthenticated users or non-admin authenticated users to write changes to the main config.yaml through the config-saving functionality despite configured permissions, allowing unauthorized modification of dashboard configuration and potential service disruption. This issue is fixed in version 4.0.8.
Metrics
Affected Vendors & Products
References
History
Wed, 15 Jul 2026 22:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Lissy93
Lissy93 dashy |
|
| Vendors & Products |
Lissy93
Lissy93 dashy |
Wed, 15 Jul 2026 18:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Dashy is a self-hostable personal dashboard. Prior to 4.0.8, Dashy deployments using OIDC can allow unauthenticated users or non-admin authenticated users to write changes to the main config.yaml through the config-saving functionality despite configured permissions, allowing unauthorized modification of dashboard configuration and potential service disruption. This issue is fixed in version 4.0.8. | |
| Title | Dash: Users can write to config despire permissions (OIDC tested) | |
| Weaknesses | CWE-15 CWE-284 CWE-287 CWE-602 |
|
| References |
| |
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-07-15T18:08:48.278Z
Reserved: 2026-05-14T18:06:06.811Z
Link: CVE-2026-46485
No data.
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-15T22:15:15Z