Incorrect authorization in eLabFTW - #VU137354
Published: July 12, 2026
eLabFTW
Detailed vulnerability description
The vulnerability allows a remote attacker to disclose sensitive information.
The vulnerability exists due to incorrect authorization in API list endpoints when processing a specially crafted filter. A remote attacker can call the affected endpoints with a specially crafted filter to disclose sensitive information.
Only instances with anonymous visitors enabled are vulnerable. The issue affects private experiments, resources, and experiment templates across teams the requester does not belong to.