## https://sploitus.com/exploit?id=PACKETSTORM:225552
# Security Advisory: CVE-2026-51788
## Denial of Service (DoS) Vulnerability in cleverange_auth v0.1.10
**CVE ID:** CVE-2026-51788
**Status:** Assigned
**Date Discovered:** 2026-04-27
**Researcher:** Aykhan Isgandarli
**Severity:** High (CVSS v3.1: 7.5)
**CVSS Vector:** `CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H`
**Affected Product:** cleverange_auth
**Affected Version:** v0.1.10
**CWE:** CWE-400 (Uncontrolled Resource Consumption), CWE-770 (Allocation of Resources Without Limits)
---
## Summary
A Denial of Service (DoS) vulnerability exists in **cleverange_auth** version **0.1.10**. The vulnerability is caused by the automatic generation of verification records and immediate email delivery whenever a new `User` object is created.
If an application using this package exposes a publicly accessible registration endpoint without appropriate abuse protections such as rate limiting or CAPTCHA, an unauthenticated remote attacker can repeatedly create new accounts and trigger excessive email generation and database writes, resulting in resource exhaustion.
---
## Affected Component
**File**
```
accounts/models.py
```
**Function**
```python
@receiver(post_save, sender=User)
def create_verification(...)
```
---
## Technical Details
When a new `User` object is created, the `create_verification` post-save signal automatically performs the following operations:
1. Creates a new `Verification` object.
2. Generates a 12-digit `account_code`.
3. Generates a 6-digit `verify_code`.
4. Stores both codes in the database.
5. Renders email templates.
6. Sends a verification email synchronously using Django's email backend.
The relevant code path is:
```python
@receiver(post_save, sender=User)
def create_verification(sender, instance, created, **kwargs):
if created:
current_user = Verification.objects.create(user=instance)
ac_code = ''.join([str(random.randint(0, 999)).zfill(3) for _ in range(4)])
current_user.account_code = ac_code
code_num = ''.join([str(random.randint(0, 999)).zfill(3) for _ in range(2)])
current_user.verify_code = code_num
email.send(fail_silently=False)
```
Because the signal performs these actions automatically for every newly created user, applications that do not implement request throttling or other anti-automation controls may allow attackers to repeatedly trigger expensive operations.
---
## Impact
An unauthenticated attacker may repeatedly submit registration requests to trigger:
* Excessive SMTP email generation (email flooding)
* Large numbers of `User` and `Verification` records
* Increased CPU and database utilization
* Increased storage consumption
* Increased email service costs
* Degraded application responsiveness
* Denial of service for legitimate users during sustained attacks
The impact depends on how the application using the package exposes its registration functionality and what abuse protections are implemented by the application.
---
## Attack Requirements
| Property | Value |
| ------------------- | ------------ |
| Attack Vector | Network |
| Privileges Required | None |
| User Interaction | None |
| Authentication | Not Required |
| Attack Complexity | Low |
---
## Root Cause
The package automatically performs resource-intensive operations whenever a new `User` instance is created, including:
* database object creation;
* verification code generation;
* template rendering;
* synchronous SMTP email transmission.
When these operations are exposed through an unauthenticated registration workflow without rate limiting or other abuse protections, they can be repeatedly triggered by an attacker, leading to uncontrolled resource consumption.
---
## Mitigation
Applications using this package should implement multiple layers of abuse protection, including:
1. Rate limiting on registration endpoints.
2. CAPTCHA or equivalent anti-automation mechanisms.
3. Email verification request throttling.
4. Asynchronous email delivery using a task queue such as Celery or RQ.
5. Automatic cleanup of stale, unverified accounts.
6. Limits on registrations per IP address, email address, or device.
7. Monitoring and alerting for abnormal registration activity.
---
## Credits
Discovered and responsibly reported by **Aykhan Isgandarli**.
---
## Timeline
* **2026-04-27** โ Vulnerability discovered.
* **2026** โ Reported through the CVE Program.
* **2026** โ CVE-2026-51788 assigned.
---
## References
* CVE-2026-51788
---
## Disclaimer
This advisory is provided for defensive and educational purposes. Administrators and developers using affected versions should apply appropriate mitigations and follow secure development practices to reduce the risk of resource exhaustion attacks.