cvedb.io
CVE-2021-41238
HIGH · CVSS 8.6
EPSS exploitation probability: 0%
Published 2021-11-02T18:15:08.777 · Last modified 2026-06-17T04:08:09.063

Summary

Hangfire is an open source system to perform background job processing in a .NET or .NET Core applications. No Windows Service or separate process required. Dashboard UI in Hangfire.Core uses authorization filters to protect it from showing sensitive data to unauthorized users. By default when no custom authorization filters specified, `LocalRequestsOnlyAuthorizationFilter` filter is being used to allow only local requests and prohibit all the remote requests to provide sensible, protected by default settings. However due to the recent changes, in version 1.7.25 no authorization filters are used by default, allowing remote requests to succeed. If you are using `UseHangfireDashboard` method with default `DashboardOptions.Authorization` property value, then your installation is impacted. If

Affected products

hangfire — hangfire

Does this affect you?

Add your gear to cvedb and we'll alert you only when hangfire ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.