Improper access control could make any user export all user of website in humhub/humhub


Reported on

Apr 13th 2022


A user who has to change their password after logging in can export the website's user data.

Proof of Concept

Step 1: login to website by admin account and change password of a user. Check the box "Force password change upon next login" and save.

Step 2: login to website by the account you just change the password. You will see a change password page.

Step 3: go to the link: domain/admin/user/export?format=xlsx. You will see this account can export the data of users without admin privilege.

You may try it out on, which is my demo site. After logging in, a user tester / 123123 will be forced to change their password. You can view the export file humhub user.xlsx at


As a result, the attacker may be able to acquire data from all users on the website.

We are processing your report and will contact the humhub team within 24 hours. 2 years ago
We have contacted a member of the humhub team and are waiting to hear back 2 years ago
2 years ago


Thanks for the report. We can confirm the error and are working on a solution.

humhub/humhub maintainer has acknowledged this report 2 years ago
Lucas Bartholemy validated this vulnerability 2 years ago
lekhang123lc has been awarded the disclosure bounty
The fix bounty is now up for grabs
We have sent a fix follow up to the humhub team. We will try again in 7 days. 2 years ago
Lucas Bartholemy marked this as fixed in 1.9.4 & 1.10.4 & 1.11.0 with commit eb83de 2 years ago
The fix bounty has been dropped
2 years ago



to join this conversation