Improper access control in Tolgee - CVE-2023-38510

 

Improper access control in Tolgee - CVE-2023-38510

Published: July 27, 2023 / Updated: June 2, 2026


Vulnerability identifier: #VU133245
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2023-38510
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Tolgee
Affected software:
Tolgee

Detailed vulnerability description

The vulnerability allows a remote user to modify data they have no access to.

The vulnerability exists due to improper access control in some backend endpoints when handling requests authenticated with an API key. A remote user can send requests using an API key to modify data they have no access to.

This issue affects endpoints where the backend does not verify the permission scopes associated with the API key.


How to mitigate CVE-2023-38510

Install security update from vendor's website.

Sources