[Security] Issues reported via security contact mentioned in Security.md

[hardiksingh-astra]

Environment

Docker Version (operacle/checkcle:latest) v1.6.0

Bug Description

Hey @tolaleng,

A few weeks ago (Feb 19, 2026) I sent a responsible disclosure email to the security contact listed in SECURITY.md regarding several potential security issues affecting this repository.

Steps to Reproduce

I just wanted to check in to make sure the message reached the right place, as I haven’t heard back yet and wanted to confirm it didn’t get lost or filtered.

Expected Behavior

Also, if required, I could also submit a pull request with fixes if that would help.

Screenshots or Videos

No response

Logs

Checklist

• I have searched existing issues to avoid creating duplicates.
• I have provided sufficient information to reproduce the issue.

[tolaleng]

Hello @hardiksingh-astra Thank you for reaching out and for your responsible disclosure.

I’m sorry, but I wasn’t able to find the email you mentioned that was sent on Feb 19, 2026. It’s possible that it didn’t reach my inbox or was filtered.

Could you please resend the details to this email address: hello@checkcle.io so I can review the reported issues?

I appreciate your effort in helping improve the security of the project and look forward to reviewing your report.

[hardiksingh-astra]

Hi @tolaleng,

Thanks for the reply, I have sent an email with the summary, thanks!

[hardiksingh-astra]

Hi @tolaleng,

Following up here since I haven't received a response to the email I resent to hello@checkcle.io on March 9, 2026. I want to document the full timeline publicly for transparency and record-keeping.

Timeline

Date	Event
Feb 19, 2026	I sent five individual security reports to security@checkcle.io (the contact listed in SECURITY.md) detailing unauthenticated access to multiple PocketBase collection API endpoints in checkcle v1.6.0. I also submitted CVE requests to MITRE on the same day (MITRE Request ID: scr1995142).
Feb 25, 2026	A separate researcher independently reported a similar root cause publicly via #214.
Feb 25, 2026	A fix was committed in f2c338c, referencing #214.
Mar 9, 2026	I created this issue (#217) to check if my original email was received.
Mar 9, 2026	@tolaleng responded, confirming the original email was not received/was filtered, and asked me to resend to hello@checkcle.io.
Mar 9, 2026	I resent all five reports to hello@checkcle.io with the original reports attached and referenced this issue and the fix commit in the email.
May 6, 2026	MITRE assigned five CVE IDs for the reported vulnerabilities: CVE-2026-36134, CVE-2026-36135, CVE-2026-36136, CVE-2026-36137, CVE-2026-36138.

Summary

All five reported issues relate to the same root cause missing authentication enforcement on PocketBase collection API endpoints in checkcle v1.6.0, allowing unauthenticated CRUD operations across multiple collections. The specific affected endpoints and PoC details were shared in the emails and MITRE submissions. Full details will be included in our advisory once the fix is verified.

Five CVE IDs have been assigned by MITRE and are currently in RESERVED state:

• CVE-2026-36134
• CVE-2026-36135
• CVE-2026-36136
• CVE-2026-36137
• CVE-2026-36138

Concerns Regarding the Fix

While the fix in commit f2c338c appears to address the root cause, I have a few concerns:

1. No tagged release since the fix: v1.6.0 remains the latest release. The fix exists only on the main branch.
2. Docker image status unclear: The recommended installation method is via the Docker image (operacle/checkcle:latest). It's unclear whether the current image includes the fix or is still based on the v1.6.0 release.
3. Documentation unavailable: The documentation site (docs.checkcle.io) appears to be down, which makes it difficult to verify the current recommended deployment method or whether any security guidance has been issued.

These factors make it difficult to confirm whether users deploying checkcle today are running a patched or vulnerable version.

Next Steps

We plan to verify the fix and publish a security advisory for these five CVEs. I wanted to give you a heads-up before that happens and provide an opportunity to coordinate.

If you would like to coordinate on disclosure or have any questions, please contact me.