SB2026071207 - Multiple vulnerabilities in eLabFTW
Published: July 12, 2026
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 16 vulnerabilities.
1) Authorization bypass through user-controlled key (CVE-ID: N/A)
CWE-ID: CWE-639 - Authorization Bypass Through User-Controlled Key
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper access control in RequestActions API when handling requests for pending approval actions. A remote user can request another user's pending approval actions to disclose sensitive information.
The issue affects private experiments and resources.
2) Authorization bypass through user-controlled key (CVE-ID: N/A)
CWE-ID: CWE-639 - Authorization Bypass Through User-Controlled Key
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper access control in Steps API when handling requests for protocol steps. A remote user can request protocol steps associated with another user's private experiment or resource to disclose sensitive information.
3) Incorrect authorization (CVE-ID: N/A)
CWE-ID: CWE-863 - Incorrect Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to incorrect authorization in API list endpoints when processing a specially crafted filter. A remote attacker can call the affected endpoints with a specially crafted filter to disclose sensitive information.
Only instances with anonymous visitors enabled are vulnerable. The issue affects private experiments, resources, and experiment templates across teams the requester does not belong to.
4) Cross-site scripting (CVE-ID: N/A)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
The vulnerability allows a remote user to perform unauthorized same-origin API actions with administrative privileges.
The vulnerability exists due to cross-site scripting in experiment/resource body rendering when a sysadmin opens the entry. A remote user can store a crafted experiment or resource body to perform unauthorized same-origin API actions with administrative privileges.
User interaction is required, as a sysadmin must open the crafted entry.
5) Cross-site scripting (CVE-ID: N/A)
CWE-ID: CWE-79 - Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:N/VA:N/SC:L/SI:L/SA:N/E:U/U:Clear
The vulnerability allows a remote user to escalate privileges.
The vulnerability exists due to cross-site scripting in the experiment/resource metadata rendering when handling stored metadata content on the experiment or resource list page. A remote user can store a crafted payload to escalate privileges.
User interaction is required when a sysadmin opens the normal experiment or resource list page.
6) Missing Authorization (CVE-ID: N/A)
CWE-ID: CWE-862 - Missing Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to missing authorization in the generic entity update path when handling generic PATCH requests that include raw userid and team fields through EntityParams. A remote user can send a specially crafted PATCH request to disclose sensitive information.
The issue affects ownership transfer between teams through the generic action:update path and bypasses the checks implemented in updateOwnership().
7) Incorrect authorization (CVE-ID: N/A)
CWE-ID: CWE-863 - Incorrect Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to incorrect authorization in scheduler API when returning calendar event data for shared bookable resources. A remote user can request event information to disclose sensitive information.
The exposed data can include the title and id of a private experiment or linked resource bound to a visible calendar event.
8) Authorization bypass through user-controlled key (CVE-ID: N/A)
CWE-ID: CWE-639 - Authorization Bypass Through User-Controlled Key
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to modify or delete status or category objects in another team.
The vulnerability exists due to authorization bypass through user-controlled key in the team status/category endpoints when handling patch or delete requests with a user-supplied object ID. A remote user can guess a target object ID and send a crafted request to modify or delete status or category objects in another team.
The issue affects cross-team access boundaries between Team A and Team B.
9) Authorization bypass through user-controlled key (CVE-ID: N/A)
CWE-ID: CWE-639 - Authorization Bypass Through User-Controlled Key
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to delete tags from any entity they can read.
The vulnerability exists due to authorization bypass through user-controlled key in the tag deletion authorization logic when handling tag deletion requests for readable entities. A remote user can send a crafted request targeting another readable entity to delete tags from any entity they can read.
The issue affects authenticated users with read-only access.
10) Missing Authorization (CVE-ID: N/A)
CWE-ID: CWE-862 - Missing Authorization
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to missing authorization in the global stored-compounds inventory export feature when handling export requests. A remote user can export the global stored-compounds inventory to disclose sensitive information.
Exported data could include linked private titles.
11) Authorization bypass through user-controlled key (CVE-ID: N/A)
CWE-ID: CWE-639 - Authorization Bypass Through User-Controlled Key
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper access control in UserRequestActions API when handling requests for pending request actions. A remote user can supply a user-controlled identifier to read another user's pending request actions to disclose sensitive information.
The exposed information includes experiment and item titles.
12) Authorization bypass through user-controlled key (CVE-ID: N/A)
CWE-ID: CWE-639 - Authorization Bypass Through User-Controlled Key
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to read and delete another user's notifications.
The vulnerability exists due to improper access control in the UserNotifications API when handling authenticated requests for notification operations. A remote user can modify a user-controlled key to access another user's notifications and to read and delete another user's notifications.
The issue also allows acknowledging another user's notifications.
13) Improper privilege management (CVE-ID: N/A)
CWE-ID: CWE-269 - Improper Privilege Management
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to extend the validity of their account.
The vulnerability exists due to improper privilege management in PATCH /api/v2/users/me when updating the valid_until field. A remote user can send a crafted request to extend the validity of their account.
14) Improper access control (CVE-ID: N/A)
CWE-ID: CWE-284 - Improper Access Control
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to bypass account deactivation controls.
The vulnerability exists due to improper access control in PATCH /api/v2/users/me when handling account update requests. A remote user can send a crafted PATCH request to bypass account deactivation controls.
This issue is theoretical because the validated value can be reverted through the API even though it cannot be set to 0 through the web interface.
15) Authorization bypass through user-controlled key (CVE-ID: N/A)
CWE-ID: CWE-639 - Authorization Bypass Through User-Controlled Key
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to access another user's encrypted private signing key.
The vulnerability exists due to improper access control in the `GET /api/v2/users/{id}/sig_keys/` API endpoint when handling requests for another user's signing keys. A remote user can request the endpoint with a different user identifier to access another user's encrypted private signing key.
Exploitation requires authenticated API access, and the targeted user must have at least one active signing key.
16) Authorization bypass through user-controlled key (CVE-ID: N/A)
CWE-ID: CWE-639 - Authorization Bypass Through User-Controlled Key
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote user to read, modify, or delete procurement requests from other teams.
The vulnerability exists due to improper access control in the procurement requests functionality when handling requests for procurement request objects. A remote privileged user can manipulate request identifiers to read, patch, or delete procurement requests from other teams to read, modify, or delete procurement requests from other teams.
Remediation
Install update from vendor's website.
References
- https://github.com/elabftw/elabftw/security/advisories/GHSA-h69w-4q9x-r59p
- https://github.com/elabftw/elabftw/security/advisories/GHSA-38j3-v4vh-6h66
- https://github.com/elabftw/elabftw/security/advisories/GHSA-ch3q-jpx5-hcwr
- https://github.com/elabftw/elabftw/security/advisories/GHSA-w4gp-34mx-g5qf
- https://github.com/elabftw/elabftw/security/advisories/GHSA-9wvm-vwcg-7c58
- https://github.com/elabftw/elabftw/security/advisories/GHSA-99qj-pc8p-c87g
- https://github.com/elabftw/elabftw/security/advisories/GHSA-p2wc-m5qg-97w2
- https://github.com/elabftw/elabftw/security/advisories/GHSA-9366-mh6g-v8cm
- https://github.com/elabftw/elabftw/security/advisories/GHSA-6p57-qc6h-pwp5
- https://github.com/elabftw/elabftw/security/advisories/GHSA-2qjc-qp9c-hrxc
- https://github.com/elabftw/elabftw/security/advisories/GHSA-jp96-xqhr-crr5
- https://github.com/elabftw/elabftw/security/advisories/GHSA-5f4w-rvhw-5xq2
- https://github.com/elabftw/elabftw/security/advisories/GHSA-j75q-fh4q-hm4h
- https://github.com/elabftw/elabftw/security/advisories/GHSA-2pfr-j6jr-4mc9
- https://github.com/elabftw/elabftw/security/advisories/GHSA-xh69-m382-7wvx
- https://github.com/elabftw/elabftw/security/advisories/GHSA-xhrv-794g-34cp