What is CVE-2026-32602?

CVE-2026-32602 is a medium-severity vulnerability in Homarr-labs Homarr, classified under Time-of-check Time-of-use (TOCTOU) Race Condition. CVSS score: 4.2/10. Published 2026-04-06.

How severe is CVE-2026-32602?

Medium severity. CVSS v3 base score is 4.2 out of 10.

Vulnerability in Homarr-labs Homarr

CVE-2026-32602

Homarr is an open-source dashboard. Prior to 1.57.0, the user registration endpoint (/api/trpc/user.register) is vulnerable to a race condition that allows an attacker to create multiple user accounts from a single-use invite token. The re…

Vulnerability class: TOCTOU (Time-of-Check to Time-of-Use)

EPSS: 0.000 (10.2th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 4.2 (Medium). Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N.

Affected products

Homarr-labs Homarr — versions < 1.57.0

Weakness classification (CWE)

CWE-367 — Time-of-check Time-of-use (TOCTOU) Race Condition

References

https://github.com/homarr-labs/homarr/security/advisories/GHSA-vfw3-53q9-2hp8 (x_refsource_CONFIRM)

Frequently asked questions

What is CVE-2026-32602?: CVE-2026-32602 is a medium-severity vulnerability in Homarr-labs Homarr, classified under Time-of-check Time-of-use (TOCTOU) Race Condition. CVSS score: 4.2/10. Published 2026-04-06.
How severe is CVE-2026-32602?: Medium severity. CVSS v3 base score is 4.2 out of 10.