Incorrect authorization in eLabFTW - #VU137354

 

Incorrect authorization in eLabFTW - #VU137354

Published: July 12, 2026


Vulnerability identifier: #VU137354
CSH Severity: High
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber
CVE-ID: N/A
CWE-ID: CWE-863
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: elabftw
Affected software:
eLabFTW

Detailed vulnerability description

The vulnerability allows a remote attacker to disclose sensitive information.

The vulnerability exists due to incorrect authorization in API list endpoints when processing a specially crafted filter. A remote attacker can call the affected endpoints with a specially crafted filter to disclose sensitive information.

Only instances with anonymous visitors enabled are vulnerable. The issue affects private experiments, resources, and experiment templates across teams the requester does not belong to.


Remediation

Install security update from vendor's website.

Sources