Description
Authenticated user can bypass authorization in Ribblr - Crochet & Knitting iOS application
Published: 2026-04-27
Score: 5.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation
Action: Update
AI Analysis

Impact

The vulnerability in the Ribblr:Crotchet and Knitting iOS application allows an authenticated user to bypass the application’s intended authorization controls, enabling them to perform actions that should be reserved for higher‑privilege users. The weakness is classified as CWE‑639, indicating that an attacker can alter the role or permission context of an authenticated user. While it does not provide arbitrary code execution or denial of service, the impact includes unauthorized data disclosure, content modification, or other privileged actions that compromise the integrity and confidentiality of the application data.

Affected Systems

The affected product, as identified by the CNA, is the Ribblr:Crotchet and Knitting iOS application. No specific version information is provided in the advisory, so all releases of the app could be affected until the vendor delivers a patch. Administrators should verify the installed version on user devices to assess exposure.

Risk and Exploitability

The CVSS base score of 5.3 indicates moderate severity. An EPSS score is not available, so a precise exploitation probability cannot be quantified, but the absence of a KEV listing suggests no documented exploitation at present. Based on the description, the likely attack vector involves an authenticated user manipulating client‑side requests or data to override authorization checks. Successful exploitation requires only valid credentials and does not need additional privileges beyond regular application access.

Generated by OpenCVE AI on April 28, 2026 at 19:46 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Contact Ribblr support for a patch or guidance on how to mitigate the vulnerability.
  • Ensure that all privileged operations on the server perform a server‑side role or permission check and reject any requests that do not meet the required access level.
  • Restrict and validate API endpoints so that calls to privileged functions cannot be invoked by lower‑privilege users, and enforce strict request validation on the server.

Generated by OpenCVE AI on April 28, 2026 at 19:46 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

References
Link Providers
https://ribblr.com/ cve-icon cve-icon
History

Tue, 28 Apr 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Ribblr
Ribblr crotchet And Knitting
Vendors & Products Ribblr
Ribblr crotchet And Knitting

Mon, 27 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 27 Apr 2026 13:30:00 +0000

Type Values Removed Values Added
Description Authenticated user can bypass authorization in Ribblr - Crochet & Knitting iOS application
Title Authenticated user can bypass authorization in Ribblr - Crochet & Knitting iOS application
Weaknesses CWE-639
References
Metrics cvssV4_0

{'score': 5.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/AU:Y'}

Subscriptions

Ribblr Crotchet And Knitting
cve-icon MITRE

Status: PUBLISHED

Assigner: NCSC-FI

Published:

Updated: 2026-04-27T13:57:35.842Z

Reserved: 2026-04-09T08:02:43.824Z

Link: CVE-2025-15626

cve-icon Vulnrichment

Updated: 2026-04-27T13:57:32.033Z

cve-icon NVD

Status : Deferred

Published: 2026-04-27T14:16:21.513

Modified: 2026-05-19T15:30:46.070

Link: CVE-2025-15626

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T20:00:19Z

Weaknesses