SB2026071206 - Improper Authentication in eLabFTW
Published: July 12, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 vulnerability.
1) Improper Authentication (CVE-ID: N/A)
CWE-ID: CWE-287 - Improper Authentication
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
The vulnerability allows a remote user to access and modify team data after membership revocation.
The vulnerability exists due to improper authentication in API key authorization for archived team members when processing API requests with keys created before archival. A remote user can use a previously issued API key to access and modify team data after membership revocation.
The issue affects users who were archived from a team, while API keys created before archival remain valid for that team.
Remediation
Install update from vendor's website.