Warning: As of v4beta All Admin Emails Are Publicly Accessible without Authentication

Ths is a quick warning to those of you playing with v4beta.

As of v4beta3, there is no authentication for Mailhog (example.com/ee-admin/mailhog/), so all admin email notifications, including password reset emails, are publicly accessible from the above Mailhog URL without authentication.

That means it’s a walk in the park for anyone to reset your admin password.

I know it’s a beta and there’s a warning this must not be used in production and all that. But really, even for a beta, I think this is unacceptable… as this leaves every test installation open for admin takeover.

1 Like