Main Vulnerability Database Vulnerabilities #VU127369

#VU127369 Incorrect Privilege Assignment in eLabFTW - CVE-2024-25633

Published: August 13, 2024 / Updated: April 24, 2026

Vulnerability identifier: #VU127369

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2024-25633

CWE-ID: CWE-266

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
eLabFTW

Software vendor:
elabftw

Description

The vulnerability allows a remote user to create user accounts and gain access to team data.

The vulnerability exists due to incorrect privilege assignment in the user account creation functionality when handling account creation requests. A remote user can create new validated accounts in their team to create user accounts and gain access to team data.

If anonymous access is enabled, unauthenticated users can create regular users in any team.

Remediation

Install security update from vendor's website.

External links

https://github.com/elabftw/elabftw/security/advisories/GHSA-v677-8x8p-636v

#VU127369 Incorrect Privilege Assignment in eLabFTW - CVE-2024-25633

Description

Remediation

External links

Please verify you're human