Missing Authorization in eLabFTW - #VU137357
Published: July 12, 2026
eLabFTW
Detailed vulnerability description
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to missing authorization in the generic entity update path when handling generic PATCH requests that include raw userid and team fields through EntityParams. A remote user can send a specially crafted PATCH request to disclose sensitive information.
The issue affects ownership transfer between teams through the generic action:update path and bypasses the checks implemented in updateOwnership().