Incorrect authorization in eLabFTW - #VU137358
Published: July 12, 2026
eLabFTW
Detailed vulnerability description
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to incorrect authorization in scheduler API when returning calendar event data for shared bookable resources. A remote user can request event information to disclose sensitive information.
The exposed data can include the title and id of a private experiment or linked resource bound to a visible calendar event.