Vulnerability Description
A security vulnerability was identified in Obsidian Scheduler's REST API 5.0.0 thru 6.3.0. If an account is locked out due to not enrolling in MFA (e.g. after the 7-day enforcement window), the REST API still allows the use of Basic Authentication to authenticate and perform administrative actions. In particular, the default admin account was found to be locked out via the web interface but still usable through the REST API. This allowed creation of a new privileged user, bypassing MFA protections. This undermines the intended security posture of MFA enforcement.
CVSS Score
HIGH
Related Weaknesses (CWE)
References
- https://blog.gregscharf.com/2025/07/11/upcoming-vulnerability-advisory/
- https://blog.gregscharf.com/2025/07/31/obsidian-scheduler-access-control-vulnera
- https://wiki.obsidianscheduler.com/docs/Release_Notes#Obsidian_6.3.1
FAQ
What is CVE-2025-56449?
CVE-2025-56449 is a vulnerability with a CVSS score of 8.2 (HIGH). A security vulnerability was identified in Obsidian Scheduler's REST API 5.0.0 thru 6.3.0. If an account is locked out due to not enrolling in MFA (e.g. after the 7-day enforcement window), the REST A...
How severe is CVE-2025-56449?
CVE-2025-56449 has been rated HIGH with a CVSS base score of 8.2/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2025-56449?
Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.