Incorrect Implementation of Authentication Algorithm in eLabFTW - CVE-2021-43834
Published: December 15, 2021 / Updated: April 24, 2026
Vulnerability identifier: #VU127367
CSH Severity: High
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: CVE-2021-43834
CWE-ID: CWE-303
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
eLabFTW
eLabFTW
Software vendor:
elabftw
elabftw
Description
The vulnerability allows a remote attacker to authenticate as an existing user.
The vulnerability exists due to incorrect implementation of an authentication algorithm in the authentication mechanism when processing login attempts for accounts created with single sign-on authentication options. A remote attacker can submit crafted authentication data to authenticate as an existing user.
Only instances using LDAP or SAML authentication for affected accounts are vulnerable.
Remediation
Install security update from vendor's website.