Improper Authentication in eLabFTW - #VU137343

 

Improper Authentication in eLabFTW - #VU137343

Published: July 12, 2026


Vulnerability identifier: #VU137343
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: N/A
CWE-ID: CWE-287
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: elabftw
Affected software:
eLabFTW

Detailed vulnerability description

The vulnerability allows a remote user to access and modify team data after membership revocation.

The vulnerability exists due to improper authentication in API key authorization for archived team members when processing API requests with keys created before archival. A remote user can use a previously issued API key to access and modify team data after membership revocation.

The issue affects users who were archived from a team, while API keys created before archival remain valid for that team.


Remediation

Install security update from vendor's website.

Sources