Authorization bypass through user-controlled key in eLabFTW - #VU137366

 

Authorization bypass through user-controlled key in eLabFTW - #VU137366

Published: July 12, 2026


Vulnerability identifier: #VU137366
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: N/A
CWE-ID: CWE-639
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: elabftw
Affected software:
eLabFTW

Detailed vulnerability description

The vulnerability allows a remote user to access another user's encrypted private signing key.

The vulnerability exists due to improper access control in the `GET /api/v2/users/{id}/sig_keys/` API endpoint when handling requests for another user's signing keys. A remote user can request the endpoint with a different user identifier to access another user's encrypted private signing key.

Exploitation requires authenticated API access, and the targeted user must have at least one active signing key.


Remediation

Install security update from vendor's website.

Sources