Improper access control in eLabFTW - #VU137365
Published: July 12, 2026
eLabFTW
Detailed vulnerability description
The vulnerability allows a remote user to bypass account deactivation controls.
The vulnerability exists due to improper access control in PATCH /api/v2/users/me when handling account update requests. A remote user can send a crafted PATCH request to bypass account deactivation controls.
This issue is theoretical because the validated value can be reverted through the API even though it cannot be set to 0 through the web interface.