Pachno 1.0.6 Authentication Bypass via runSwitchUser()

Description

Pachno 1.0.6 contains an authentication bypass vulnerability in the runSwitchUser() action that allows authenticated low-privilege users to escalate privileges by manipulating the original_username cookie. Attackers can set the client-controlled original_username cookie to any value and request a switch to user ID 1 to obtain session tokens or password hashes belonging to administrator accounts.

Affected Products

Vendor	Product	Versions
pachno	pachno	1.0.6

References

https://www.zeroscience.mk/en/vulnerabilities/ZSL-2026-5985.php(third-party-advisory)
https://www.vulncheck.com/advisories/pachno-authentication-bypass-via-runswitchuser(third-party-advisory)

Related News (1 articles)

Tier C

VulDB7d ago

CVE-2026-40043 | Pachno 1.0.6 runSwitchUser authorization (ZSL-2026-5985)

→ No new info (linked only)

CVSS 3.16.5 NONE

CISA KEV❌ No

Actively exploited✅ Yes

CWECWE-639

PublishedApr 13, 2026

Last enriched7d agov2

Trending Score14

Source articles1

Independent1

Info Completeness7/14

Missing: cvss, epss, kev, exploit, patch, iocs, mitre_attack

Community Vote

0 upvotes0 downvotes

No votes yet

Related CVEs (4)

Version History

Last enriched 7d ago

v2Tier C7d ago

Updated severity to HIGH and marked the vulnerability as actively exploited.

severityactivelyExploited

via VulDB

v17d ago

Initial creation