Authorization bypass through user-controlled key in eLabFTW - #VU137352
Published: July 12, 2026
eLabFTW
Detailed vulnerability description
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper access control in RequestActions API when handling requests for pending approval actions. A remote user can request another user's pending approval actions to disclose sensitive information.
The issue affects private experiments and resources.