SB2026071206 - Improper Authentication in eLabFTW



SB2026071206 - Improper Authentication in eLabFTW

Published: July 12, 2026

Security Bulletin ID SB2026071206
CSH Severity
Medium
Patch available
YES
Number of vulnerabilities 1
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

Medium 100%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 1 vulnerability.


1) Improper Authentication (CVE-ID: N/A)

CWE-ID: CWE-287 - Improper Authentication

CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green


The vulnerability allows a remote user to access and modify team data after membership revocation.

The vulnerability exists due to improper authentication in API key authorization for archived team members when processing API requests with keys created before archival. A remote user can use a previously issued API key to access and modify team data after membership revocation.

The issue affects users who were archived from a team, while API keys created before archival remain valid for that team.


Remediation

Install update from vendor's website.