1. Home
  2. CVE Database
  3. CVE-2025-67796
HIGH · 8.1

CVE-2025-67796

IKUS Rdiffweb before 2.10.5 has an improper authorization flaw that allows an attacker with any valid or stolen access token to act as other users. The API does not enforce binding between the authent...

Vulnerability Description

IKUS Rdiffweb before 2.10.5 has an improper authorization flaw that allows an attacker with any valid or stolen access token to act as other users. The API does not enforce binding between the authenticated subject and the targeted user/tenant, so crafted requests can read or modify other users data and, in some cases, perform privileged actions. This issue may enable cross-tenant access. Fixed in version 2.10.6.

CVSS Score

8.1

HIGH

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
HIGH
Integrity
HIGH
Availability
NONE

Related Weaknesses (CWE)

CWE-284

References

FAQ

What is CVE-2025-67796?

CVE-2025-67796 is a vulnerability with a CVSS score of 8.1 (HIGH). IKUS Rdiffweb before 2.10.5 has an improper authorization flaw that allows an attacker with any valid or stolen access token to act as other users. The API does not enforce binding between the authent...

How severe is CVE-2025-67796?

CVE-2025-67796 has been rated HIGH with a CVSS base score of 8.1/10. Review the CVSS metrics above for detailed severity breakdown.

Is there a patch for CVE-2025-67796?

Check the references section above for vendor advisories and patch information. Review vendor security bulletins for remediation guidance.