Authorization bypass through user-controlled key in eLabFTW - #VU137367
Published: July 12, 2026
eLabFTW
Detailed vulnerability description
The vulnerability allows a remote user to read, modify, or delete procurement requests from other teams.
The vulnerability exists due to improper access control in the procurement requests functionality when handling requests for procurement request objects. A remote privileged user can manipulate request identifiers to read, patch, or delete procurement requests from other teams to read, modify, or delete procurement requests from other teams.