Weak password policy on account creation/password update in hay-kot/mealie


Reported on

Jul 30th 2022


The password policy used in the account creation and password change pages is weak, allowing to set a password of only 1 character.

Proof of Concept

Case 1 - Account Creation

  1. 1 - Login as admin and go to the users page.

  2. 2 - Create a new user and set 1 as the password and click in "Create".

  3. 3 - The new user is created successfully.

    Case 2 - Password Change

  4. 1 - Login as a normal user an go to the profile page.

  5. 2 - Click in change password and set 1 as the new password and click in "Save".

  6. 3 - The password is changed successfully.


An attacker could easily guess user passwords and gain access to user and administrative accounts.

We are processing your report and will contact the hay-kot/mealie team within 24 hours. 2 years ago
A GitHub Issue asking the maintainers to create a SECURITY.md exists 2 years ago
We have contacted a member of the hay-kot/mealie team and are waiting to hear back 2 years ago
We have sent a follow up to the hay-kot/mealie team. We will try again in 4 days. 2 years ago
We have sent a second follow up to the hay-kot/mealie team. We will try again in 7 days. 2 years ago
Hayden validated this vulnerability 2 years ago
vultza has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Hayden marked this as fixed in nightly with commit 54c4f1 2 years ago
Hayden has been awarded the fix bounty
crud.py#L94-L103 has been validated
to join this conversation