Summary
Missing Authorization with Default Settings in Dashboard UI
Dashboard UI in Hangfire.Core uses authorization filters to protect it from showing sensitive data to unauthorized users. By default when no custom authorization filters specified, LocalRequestsOnlyAuthorizationFilter filter is being used to allow only local requests and prohibit all the remote requests to provide sensible, protected by default settings.
However due to the recent changes, in version 1.7.25 no authorization filters are used by default, allowing remote requests to succeed.
Impacted
If you are using UseHangfireDashboard method with default DashboardOptions.Authorization property value, then your installation is impacted:
app.UseHangfireDashboard(); // Impacted
app.UseHangfireDashboard("/hangfire", new DashboardOptions()); // Impacted
Not Impacted
If any other authorization filter is specified in the DashboardOptions.Authorization property, the you are not impacted:
app.UseHangfireDashboard("/hangfire", new DashboardOptions
{
Authorization = new []{ new SomeAuthorizationFilter(); } // Not impacted
});
Workarounds
It is possible to fix the issue by using the LocalRequestsOnlyAuthorizationFilter explicitly when configuring the Dashboard UI. In this case upgrade is not required.
// using Hangfire.Dashboard;
app.UseHangfireDashboard("/hangfire", new DashboardOptions
{
Authorization = new []{ new LocalRequestsOnlyAuthorizationFilter(); }
});
References
Original GitHub Issue: https://github.com/HangfireIO/Hangfire/issues/1958
Impact
Missing authorization when default options are used for the Dashboard UI, e.g. when no custom authorization rules are used as recommended in the Using Dashboard documentation article.
The application does not perform an authorization check before performing a sensitive operation. Typical impact: unauthorized access to restricted functionality or data.
CVE-2021-41238 has a CVSS score of 8.6 (High). The vector is network-reachable, no privileges required, and no user interaction. A CVSS score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether this affects your application depends on whether the vulnerable code is present and reachable in your environment. A fixed version is available (1.7.26); upgrading removes the vulnerable code path.
Affected versions
Security releases
Kodem intelligence
Severity tells you how bad this could be in the worst case. It does not tell you whether you are exposed. Exploitability and impact are functions of runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A vulnerable package can sit in your dependency tree and never run.
Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter. Kodem's runtime-powered SCA identifies whether this CVE is reachable in your applications.
Already deployed Kodem?
See it in your environmentNew to Kodem? Get a demo →Remediation advice
Patch is already available in version 1.7.26 and already available on NuGet.org, please see Hangfire.Core 1.7.26. Default authorization rules now prohibit remote requests by default again by including the LocalRequestsOnlyAuthorizationFilter filter to the default settings. Please upgrade to the newest version in order to mitigate the issue.
Frequently Asked Questions
- What is CVE-2021-41238? CVE-2021-41238 is a high-severity missing authorization vulnerability in Hangfire.Core (nuget), affecting versions = 1.7.25. It is fixed in 1.7.26. The application does not perform an authorization check before performing a sensitive operation.
- How severe is CVE-2021-41238? CVE-2021-41238 has a CVSS score of 8.6 (High). This score reflects the worst-case severity of the vulnerability, not your specific exposure. Whether it represents real risk in your environment depends on whether the vulnerable code is present and reachable.
- Which versions of Hangfire.Core are affected by CVE-2021-41238? Hangfire.Core (nuget) versions = 1.7.25 is affected.
- Is there a fix for CVE-2021-41238? Yes. CVE-2021-41238 is fixed in 1.7.26. Upgrade to this version or later.
- Is CVE-2021-41238 exploitable, and should I be worried? Whether CVE-2021-41238 is exploitable in your environment depends on whether the vulnerable code is present and reachable. A CVSS score is a worst-case rating; it does not account for your specific deployment, configuration, or usage patterns. Kodem, an Intelligent Application Security platform, uses runtime intelligence to show which vulnerabilities actually execute in production, so you can focus on the ones that represent real risk. Get a demo
- What actually determines whether CVE-2021-41238 is exploitable, and how bad it is? Exploitability and impact are not fixed properties of a CVE. They depend on runtime truth: whether the vulnerable code is present, reachable, and actually executes in your application. A high CVSS score on a dependency that never runs is not the same as real risk. Kodem, an Intelligent Application Security platform, uses runtime intelligence to reveal which vulnerabilities actually execute in production, so teams prioritize the ones that genuinely matter.
- How do I fix CVE-2021-41238? Upgrade
Hangfire.Coreto 1.7.26 or later.