PYSEC-2026-1717

See a problem?
Import Source
https://github.com/pypa/advisory-database/blob/main/vulns/omero-web/PYSEC-2026-1717.yaml
JSON Data
https://api.osv.dev/v1/vulns/PYSEC-2026-1717
Aliases
Published
2026-07-07T16:03:01.015416Z
Modified
2026-07-07T17:47:22.872664938Z
Severity
  • 5.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
Summary
OMERO.web displays unecessary user information when requesting password reset
Details

Background

If an error occurred when resetting a user's password using the Forgot Password option in OMERO.web, the error message displayed on the Web page can disclose information about the user.

Impact

OMERO.web before 5.29.1

Patches

User should upgrade to 5.29.2 or higher

Workarounds

Disable the Forgot password option in OMERO.web using the omero.web.show_forgot_password configuration property[^1].

Thanks to Christopher Youd who reported the issue.

Open an issue in omero-web Email us at security@openmicroscopy.org

References

Affected packages

PyPI / omero-web

Package

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
5.29.2

Affected versions

5.*
5.5.dev1
5.5.dev2
5.6.dev1
5.6.dev2
5.6.dev3
5.6.dev4
5.6.dev5
5.6.dev6
5.6.dev7
5.6.0
5.6.1
5.6.2
5.6.3
5.7.0
5.7.1
5.8.0
5.8.1
5.9.0
5.9.1
5.9.2
5.10.0
5.11.0rc1
5.11.0
5.12.0
5.12.1
5.13.0
5.14.0rc1
5.14.0
5.14.1
5.15.0
5.16.0
5.17.0
5.18.0
5.19.0
5.20.0
5.21.0
5.22.0
5.22.1
5.23.0
5.23.1.dev0
5.24.0
5.25.0
5.26.0
5.27.0
5.27.1
5.27.2
5.28.0
5.29.0
5.29.1

Database specific

source
"https://github.com/pypa/advisory-database/blob/main/vulns/omero-web/PYSEC-2026-1717.yaml"