CVE-2020-36968 — Vulnetix

CVE-2020-36968 PUBLISHED

M/Monit 3.7.4 contains an authentication vulnerability that allows authenticated attackers to retrieve user password hashes through an administrative API endpoint. Attackers can send requests to the /api/1/admin/users/list and /api/1/admin/users/get endpoints to extract MD5 password hashes for all users.

EPSS 0.26% · 50.3th percentile

Risk Scores

EPSS Score

0.26%

50.3th percentile

Affected Products

Vendor	Product	Versions
Ubuntu:Pro:20.04:LTS	monit	1:5.26.0-1build1, *, 0
Ubuntu:Pro:22.04:LTS	monit	1:5.29.0-5, 1:5.27.2-1, 0
Ubuntu:24.04:LTS	monit	1:5.33.0-1, 1:5.33.0-2build2, 1:5.33.0-2build1
Ubuntu:25.10	monit	0, 1:5.34.3-1, 1:5.35.2-1
Ubuntu:Pro:16.04:LTS	monit	1:5.16-2ubuntu0.2, 1:5.16-2ubuntu0.1, 1:5.16-2
Ubuntu:Pro:18.04:LTS	monit	1:5.25.1-1ubuntu0.1~esm1, ,
Ubuntu:Pro:14.04:LTS	monit	*, 1:5.6-2ubuntu0.1, 1:5.6-1

Exploit Intelligence

https://www.exploit-db.com/exploits/49081 (nist-nvd)
M/Monit Official Vendor Homepage (circl)
VulnCheck Advisory: M/Monit 3.7.4 - Password Disclosure (circl)

Timeline

Jan 28, 2026 CVE Published
Jan 29, 2026 EPSS Score
Jan 31, 2026 EPSS Score
Feb 3, 2026 EPSS Score
Feb 5, 2026 EPSS Score
Feb 8, 2026 EPSS Score
Feb 10, 2026 EPSS Score
Feb 13, 2026 EPSS Score
Feb 15, 2026 EPSS Score
Feb 18, 2026 EPSS Score
Feb 20, 2026 EPSS Score
Feb 23, 2026 EPSS Score

References

https://ubuntu.com/security/CVE-2020-36968 third-party-advisory
https://www.cve.org/CVERecord?id=CVE-2020-36968 third-party-advisory
https://www.exploit-db.com/exploits/49081 third-party-advisory
https://mmonit.com/ third-party-advisory
https://www.vulncheck.com/advisories/mmonit-password-disclosure third-party-advisory

Open in Interactive Console →