Authorization bypass through user-controlled key in eLabFTW - #VU137360
Published: July 12, 2026
eLabFTW
Detailed vulnerability description
The vulnerability allows a remote user to delete tags from any entity they can read.
The vulnerability exists due to authorization bypass through user-controlled key in the tag deletion authorization logic when handling tag deletion requests for readable entities. A remote user can send a crafted request targeting another readable entity to delete tags from any entity they can read.
The issue affects authenticated users with read-only access.