Incorrect Privilege Assignment in eLabFTW - CVE-2024-25633

 

Incorrect Privilege Assignment in eLabFTW - CVE-2024-25633

Published: August 13, 2024 / Updated: April 24, 2026


Vulnerability identifier: #VU127369
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2024-25633
CWE-ID: CWE-266
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: elabftw
Affected software:
eLabFTW

Detailed vulnerability description

The vulnerability allows a remote user to create user accounts and gain access to team data.

The vulnerability exists due to incorrect privilege assignment in the user account creation functionality when handling account creation requests. A remote user can create new validated accounts in their team to create user accounts and gain access to team data.

If anonymous access is enabled, unauthenticated users can create regular users in any team.


How to mitigate CVE-2024-25633

Install security update from vendor's website.

Sources