Improper Authentication in eLabFTW - #VU137343
Published: July 12, 2026
eLabFTW
Detailed vulnerability description
The vulnerability allows a remote user to access and modify team data after membership revocation.
The vulnerability exists due to improper authentication in API key authorization for archived team members when processing API requests with keys created before archival. A remote user can use a previously issued API key to access and modify team data after membership revocation.
The issue affects users who were archived from a team, while API keys created before archival remain valid for that team.