CVE-2025-29266

April 1, 2025, 8:26 p.m.

9.6
Critical

Description

Unraid 7.0.0 before 7.0.1 allows remote users to access the Unraid WebGUI and web console as root without authentication if a container is running in Host networking mode with Use Tailscale enabled.

Product(s) Impacted

Vendor Product Versions
Limetech
  • Unraid
  • <7.0.1

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-289
Authentication Bypass by Alternate Name
The product performs authentication based on the name of a resource being accessed, or the name of the actor performing the access, but it does not properly check all possible names for that resource or actor.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a limetech unraid <7.0.1 / / / / / / /

References

https://docs.unraid.net/unraid-os/release-notes/7.0.1/
https://edac.dev/security/CVE-2025-29266/
https://github.com/unraid/webgui

Tags

cve@mitre.org
CWE-289
2025-03-31
CVE-2025-29266

CVSS Score

9.6 / 10

CVSS Data - 3.1

  • Attack Vector: ADJACENT_NETWORK
  • Attack Complexity: LOW
  • Privileges Required: NONE
  • Scope: CHANGED
  • Confidentiality Impact: HIGH
  • Integrity Impact: HIGH
  • Availability Impact: HIGH

    • CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

    View Vector String

Timeline

Published: March 31, 2025, 1:15 p.m.
Last Modified: April 1, 2025, 8:26 p.m.

Status : Awaiting Analysis

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

cve@mitre.org

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.