cvedb.io
CVE-2025-55796
HIGH · CVSS 7.5
EPSS exploitation probability: 0%
Published 2025-11-18T17:16:04.270 · Last modified 2026-06-17T09:42:11.793

Summary

The openml/openml.org web application version v2.0.20241110 uses predictable MD5-based tokens for critical user workflows such as signup confirmation, password resets, email confirmation resends, and email change confirmation. These tokens are generated by hashing the current timestamp formatted as "%d %H:%M:%S" without incorporating any user-specific data or cryptographic randomness. This predictability allows remote attackers to brute-force valid tokens within a small time window, enabling unauthorized account confirmation, password resets, and email change approvals, potentially leading to account takeover.

Affected products

openml — openml.org

Does this affect you?

Add your gear to cvedb and we'll alert you only when openml ships something exploited.

Check my exposure →

References

This product uses data from the NVD API but is not endorsed or certified by the NVD. Informational only; not professional security advice.