Authorization bypass through user-controlled key in eLabFTW - #VU137363

 

Authorization bypass through user-controlled key in eLabFTW - #VU137363

Published: July 12, 2026


Vulnerability identifier: #VU137363
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: N/A
CWE-ID: CWE-639
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: elabftw
Affected software:
eLabFTW

Detailed vulnerability description

The vulnerability allows a remote user to read and delete another user's notifications.

The vulnerability exists due to improper access control in the UserNotifications API when handling authenticated requests for notification operations. A remote user can modify a user-controlled key to access another user's notifications and to read and delete another user's notifications.

The issue also allows acknowledging another user's notifications.


Remediation

Install security update from vendor's website.

Sources