Description
In Citrix Cloud through 2025-11-10, an account with read-only access can trigger the beginning of a workflow for write operations, e.g., the system will send a one-time password to an attacker-controlled email address when the attacker attempts to reset the password of a user account.
Published: 2026-06-17
Score: 8.8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A read‑only account in Citrix Cloud can trigger a workflow that performs write operations by sending a one‑time password to an arbitrary email address. The bug allows an attacker who can exploit a read‑only role to request a password reset for any user, causing the system to deliver an OTP to the attacker’s email. This enables account takeover or other social‑engineering attacks and illustrates improper authorization (CWE‑284).

Affected Systems

All deployments of Citrix Cloud that support password reset operations and provide read‑only roles, up to and including release 2025‑11‑10. No specific version numbers are supplied.

Risk and Exploitability

The CVSS score of 8.8 indicates high severity, and the EPSS score of < 1% shows low current exploitation probability. Because the flaw is not listed in CISA KEV, awareness must remain high. An attacker only needs a read‑only account and the ability to invoke the reset workflow, which can be done via API or UI. Sending the OTP to an arbitrary email enables the attacker to complete a password reset or launch phishing attacks. Therefore, the overall risk is high, and prompt remediation is advisable.

Generated by OpenCVE AI on June 18, 2026 at 20:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Review and enforce correct authorization checks for OTP‑sending workflows so that only privileged accounts may trigger them.
  • Restrict the ability for read‑only roles to invoke password‑reset actions—remove the permission or block the relevant API endpoint.
  • Configure logging and alerts to detect abnormal OTP generation or repeated password‑reset requests from read‑only users.
  • Apply any vendor release or update that corrects this privilege flaw as soon as it is available.

Generated by OpenCVE AI on June 18, 2026 at 20:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Citrix
Citrix citrix Cloud
Vendors & Products Citrix
Citrix citrix Cloud

Thu, 18 Jun 2026 20:45:00 +0000

Type Values Removed Values Added
Title Unauthorized Write Operations Triggered by Read-Only Accounts in Citrix Cloud

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-284
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 17 Jun 2026 14:00:00 +0000

Type Values Removed Values Added
Description In Citrix Cloud through 2025-11-10, an account with read-only access can trigger the beginning of a workflow for write operations, e.g., the system will send a one-time password to an attacker-controlled email address when the attacker attempts to reset the password of a user account.
References

Subscriptions

Citrix Citrix Cloud
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-17T18:25:44.295Z

Reserved: 2025-11-28T00:00:00.000Z

Link: CVE-2025-66391

cve-icon Vulnrichment

Updated: 2026-06-17T14:59:42.448Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:42:38Z

Weaknesses