CVE-2025-59036 — MEDIUM (5.5)

Vulnerability Description

Infrahub offers a central hub to manage data, templates, and playbooks. Prior to versiond 1.3.9 and 1.4.5, a bug in the authentication logic will cause API tokens that were deleted and/or expired to be considered valid. This means that any API token that is associated with an active user account can authenticate successfully. This issue is fixed in versions 1.3.9 and 1.4.5. As a workaround, users can delete or deactivate the account associated with a deleted API token to prevent that token from authenticating.

CVSS Score

5.5

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality

LOW

Integrity

LOW

Availability

LOW

Related Weaknesses (CWE)

CWE-298

References

https://github.com/opsmill/infrahub/security/advisories/GHSA-v2p7-4pv4-3wwh

FAQ

What is CVE-2025-59036?

CVE-2025-59036 is a vulnerability with a CVSS score of 5.5 (MEDIUM). Infrahub offers a central hub to manage data, templates, and playbooks. Prior to versiond 1.3.9 and 1.4.5, a bug in the authentication logic will cause API tokens that were deleted and/or expired to b...

How severe is CVE-2025-59036?

CVE-2025-59036 has been rated MEDIUM with a CVSS base score of 5.5/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2025-59036?

Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.