Authorization bypass through user-controlled key in eLabFTW - #VU137363
Published: July 12, 2026
eLabFTW
Detailed vulnerability description
The vulnerability allows a remote user to read and delete another user's notifications.
The vulnerability exists due to improper access control in the UserNotifications API when handling authenticated requests for notification operations. A remote user can modify a user-controlled key to access another user's notifications and to read and delete another user's notifications.
The issue also allows acknowledging another user's notifications.