GHSA-V8RP-6XCV-FWGH

Vulnerability from github – Published: 2026-07-02 20:55 – Updated: 2026-07-02 20:55
VLAI
Summary
Kiwi TCMS's /init-db/ page renders and responds to requests after first use
Details

Kiwi TCMS provides the /init-db/ page as part of its setup mechanism for administrators who prefer a browser instead of the command line. In previous versions of Kiwi TCMS this page still renders and responds to requests even after first use.

Impact

The /init-db/ page does not require any user authentication because it is the first setup operation that needs to be executed in order for Kiwi TCMS to function. Database initialization happens before there are any user accounts available!

While that looks serious at first the /init-db/ page is merely a proxy behind the /Kiwi/manage.py migrate command, which itself is designed to be reentrant. In the case of repeated access to the /init-db/ page after first use the output is:

Running migrations:
  No migrations to apply.

as shown on the screenshots below:

2222

3333

  • There is no data loss because migrations result in a no-op if they are already applied!
  • No application state is altered because all state changes have already been applied!
  • No confidential information revealed because database migrations only report status on migrations which are clearly visible in source code!

Remediation

The /init-db/ page has been modified to short-circuit itself if migrations have already been applied, resulting in a no-op on the webUI layer as well.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "PyPI",
        "name": "kiwitcms"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "12.4"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-49292"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-862"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-07-02T20:55:22Z",
    "nvd_published_at": null,
    "severity": "LOW"
  },
  "details": "Kiwi TCMS provides the /init-db/ page as part of its setup mechanism for administrators who prefer a browser instead of the command line. In previous versions of Kiwi TCMS this page still renders and responds to requests even after first use.\n\n### Impact\n\nThe /init-db/ page does not require any user authentication because it is the first setup operation that needs to be executed in order for Kiwi TCMS to function. Database initialization happens before there are any user accounts available!\n\nWhile that looks serious at first the /init-db/ page is merely a proxy behind the `/Kiwi/manage.py migrate` command, which itself is designed to be reentrant. In the case of repeated access to the /init-db/ page after first use the output is:\n```\nRunning migrations:\n  No migrations to apply.\n```\nas shown on the screenshots below:\n\n\u003cimg width=\"1911\" height=\"992\" alt=\"2222\" src=\"https://github.com/user-attachments/assets/9f661c71-b305-4380-aadf-0732321b3666\" /\u003e\n\n\u003cimg width=\"1913\" height=\"1020\" alt=\"3333\" src=\"https://github.com/user-attachments/assets/10f8553e-675d-42be-9adc-cd5613df015c\" /\u003e\n\n- There is no data loss because migrations result in a no-op if they are already applied!\n- No application state is altered because all state changes have already been applied! \n- No confidential information revealed because database migrations only report status on migrations which are clearly visible in source code!\n\n### Remediation\n\nThe /init-db/ page has been modified to short-circuit itself if migrations have already been applied, resulting in a no-op on the webUI layer as well.",
  "id": "GHSA-v8rp-6xcv-fwgh",
  "modified": "2026-07-02T20:55:22Z",
  "published": "2026-07-02T20:55:22Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/kiwitcms/Kiwi/security/advisories/GHSA-v8rp-6xcv-fwgh"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/kiwitcms/Kiwi"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Kiwi TCMS\u0027s /init-db/ page renders and responds to requests after first use"
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…