Authorization bypass through user-controlled key in eLabFTW - #VU137362
Published: July 12, 2026
eLabFTW
Detailed vulnerability description
The vulnerability allows a remote user to disclose sensitive information.
The vulnerability exists due to improper access control in UserRequestActions API when handling requests for pending request actions. A remote user can supply a user-controlled identifier to read another user's pending request actions to disclose sensitive information.
The exposed information includes experiment and item titles.