CVE-2021-21276: Polr is an open source URL shortener. in Polr before version 2.3.0, a vulnerability in the setup process allows attackers to gain admin access to site...

Description

Polr is an open source URL shortener. in Polr before version 2.3.0, a vulnerability in the setup process allows attackers to gain admin access to site instances, even if they do not possess an existing account. This vulnerability exists regardless of users' settings. If an attacker crafts a request with specific cookie headers to the /setup/finish endpoint, they may be able to obtain admin privileges on the instance. This is caused by a loose comparison (==) in SetupController that is susceptible to attack. The project has been patched to ensure that a strict comparison (===) is used to verify the setup key, and that /setup/finish verifies that no users table exists before performing any migrations or provisioning any new accounts. This is fixed in version 2.3.0. Users can patch this vulnerability without upgrading by adding abort(404) to the very first line of finishSetup in SetupController.php.

Metrics

CVSS 3.1

9.3/10

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N

EPSS Probability

7.16%

93.5th percentile

Probability of exploitation in the next 30 days. Learn more

Weakness Enumeration

CWE-863

Affected Software

Vendor	Product	Versions
Polrproject	Polr	< 2.3.0

References

http://packetstormsecurity.com/files/171743/POLR-URL-2.3.0-Shortener-Admin-Takeover.html
https://github.com/cydrobolt/polr/commit/b1981709908caf6069b4a29dad3b6739c322c675Patch, Third Party Advisory
https://github.com/cydrobolt/polr/releases/tag/2.3.0Release Notes, Third Party Advisory
https://github.com/cydrobolt/polr/security/advisories/GHSA-vg6w-8w9v-xxqcThird Party Advisory
http://packetstormsecurity.com/files/171743/POLR-URL-2.3.0-Shortener-Admin-Takeover.html
https://github.com/cydrobolt/polr/commit/b1981709908caf6069b4a29dad3b6739c322c675Patch, Third Party Advisory
https://github.com/cydrobolt/polr/releases/tag/2.3.0Release Notes, Third Party Advisory
https://github.com/cydrobolt/polr/security/advisories/GHSA-vg6w-8w9v-xxqcThird Party Advisory

Timeline

Published: Feb 1, 2021
Last Modified: Jun 17, 2026
Status: Modified

Frequently Asked Questions

What is CVE-2021-21276?

Polr is an open source URL shortener. in Polr before version 2.3.0, a vulnerability in the setup process allows attackers to gain admin access to site instances, even if they do not possess an existing account. This vulnerability exists regardless of users' settings. If an attacker crafts a request with specific cookie headers to the /setup/finish endpoint, they may be able to obtain admin privileges on the instance. This is caused by a loose comparison (==) in SetupController that is susceptible to attack. The project has been patched to ensure that a strict comparison (===) is used to verify the setup key, and that /setup/finish verifies that no users table exists before performing any migrations or provisioning any new accounts. This is fixed in version 2.3.0. Users can patch this vulnerability without upgrading by adding abort(404) to the very first line of finishSetup in SetupController.php.

How severe is CVE-2021-21276?

CVE-2021-21276 has a CVSS score of 9.3/10 (CRITICAL severity). The EPSS model estimates a 7.16% probability of exploitation in the next 30 days.

How do I fix CVE-2021-21276?

Check the vendor references and advisories linked above for patched versions and mitigation guidance. You can also run a Strix scan to test if your systems are affected.