Authorization bypass through user-controlled key in eLabFTW - #VU137359
Published: July 12, 2026
eLabFTW
Detailed vulnerability description
The vulnerability allows a remote user to modify or delete status or category objects in another team.
The vulnerability exists due to authorization bypass through user-controlled key in the team status/category endpoints when handling patch or delete requests with a user-supplied object ID. A remote user can guess a target object ID and send a crafted request to modify or delete status or category objects in another team.
The issue affects cross-team access boundaries between Team A and Team B.