CVE-2022-34624
CVE-2022-34624 is a medium-severity vulnerability in Mealie with a CVSS 3.x base score of 5.9. It is not currently listed as actively exploited by CISA, and its EPSS exploit-prediction score is low. The underlying weakness is classified as CWE-613.
Key facts
- Severity: Medium (CVSS 3.x base score 5.9)
- EPSS exploit prediction: 1% (47th percentile)
- Actively exploited: Not listed in CISA KEV
- Weakness: CWE-613
- Affected product: Mealie
- Published:
- Last modified:
Description
Mealie1.0.0beta3 does not terminate download tokens after a user logs out, allowing attackers to perform a man-in-the-middle attack via a crafted GET request.
Frequently asked questions
- What is CVE-2022-34624?
- Mealie1.0.0beta3 does not terminate download tokens after a user logs out, allowing attackers to perform a man-in-the-middle attack via a crafted GET request.
- How severe is CVE-2022-34624?
- CVE-2022-34624 has a CVSS 3.x base score of 5.9, rated medium severity. It is exploitable over network with high attack complexity, requires no privileges and no user interaction. Impact on confidentiality is high, integrity none, and availability none.
- Is CVE-2022-34624 being actively exploited?
- It is not currently listed in CISA's KEV catalog. Its EPSS exploit-prediction score is 1% (47th percentile), an estimate of the probability of exploitation in the next 30 days.
- What products are affected by CVE-2022-34624?
- CVE-2022-34624 primarily affects Mealie. In total, 2 product configurations (CPEs) are listed as vulnerable; see the affected-products list for the exact versions.
- How do I fix CVE-2022-34624?
- Review the linked vendor and NVD advisories for patched versions and mitigations, then upgrade or apply the recommended workaround.
- When was CVE-2022-34624 published?
- CVE-2022-34624 was published on 2022-08-19 and last updated on 2026-07-05.
References
- https://gainsec.com/2022/08/19/cve-2022-34615-cve-2022-34621-cve-2022-34623-cve-2022-34624/
- http://hkotel.com
- http://mealie.com
Affected products (2)
- cpe:2.3:a:mealie:mealie:0.5.5:*:*:*:*:*:*:*
- cpe:2.3:a:mealie:mealie:1.0.0:beta3:*:*:*:*:*:*
More vulnerabilities in Mealie
- CVE-2022-34615 — Critical (CVSS 9.8): Mealie 1.0.0beta3 employs weak password requirements which allows attackers to potentially gain unauthorized access to…
- CVE-2025-56795 — Critical (CVSS 9.0): Mealie 3.0.1 and earlier is vulnerable to Stored Cross-Site Scripting (XSS) in the recipe creation functionality.…
- CVE-2024-55073 — High (CVSS 7.6): A Broken Object Level Authorization vulnerability in the component /api/users/{user-id} of hay-kot mealie v2.2.0 allows…
- CVE-2024-31994 — Medium (CVSS 6.5): Mealie is a self hosted recipe manager and meal planner. Prior to 1.4.0, an attacker can point the image request to an…
- CVE-2024-31992 — Medium (CVSS 6.5): Mealie is a self hosted recipe manager and meal planner. Prior to 1.4.0, the safe_scrape_html function utilizes a…
- CVE-2022-34621 — Medium (CVSS 6.5): Mealie 1.0.0beta3 was discovered to contain an Insecure Direct Object Reference (IDOR) vulnerability which allows…
Other CWE-613 (Insufficient Session Expiration) vulnerabilities
- CVE-2024-8888 — Critical (CVSS 10.0): An attacker with access to the network where CIRCUTOR Q-SMT is located in its firmware version 1.0.4, could steal the…
- CVE-2026-46455 — Critical (CVSS 9.8): Insufficient Session Expiration vulnerability in Apache Camel Keycloak Component. The camel-keycloak security helper…
- CVE-2026-21622 — Critical (CVSS 9.8): Insufficient Session Expiration vulnerability in hexpm hexpm/hexpm ('Elixir.Hexpm.Accounts.PasswordReset' module)…
- CVE-2025-59786 — Critical (CVSS 9.8): 2N Access Commander version 3.4.2 and prior improperly invalidates session tokens, allowing multiple session cookies to…
- CVE-2026-26342 — Critical (CVSS 9.8): Tattile Smart+, Vega, and Basic device families firmware versions 1.181.5 and prior implement an authentication token…
- CVE-2026-1435 — Critical (CVSS 9.8): Not properly invalidated session vulnerability in Graylog Web Interface, version 2.2.3, due to incorrect management of…
Browse all CWE-613 (Insufficient Session Expiration) vulnerabilities →