Impact
A read‑only account in Citrix Cloud can trigger a workflow that performs write operations by sending a one‑time password to an arbitrary email address. The bug allows an attacker who can exploit a read‑only role to request a password reset for any user, causing the system to deliver an OTP to the attacker’s email. This enables account takeover or other social‑engineering attacks and illustrates improper authorization (CWE‑284).
Affected Systems
All deployments of Citrix Cloud that support password reset operations and provide read‑only roles, up to and including release 2025‑11‑10. No specific version numbers are supplied.
Risk and Exploitability
The CVSS score of 8.8 indicates high severity, and the EPSS score of < 1% shows low current exploitation probability. Because the flaw is not listed in CISA KEV, awareness must remain high. An attacker only needs a read‑only account and the ability to invoke the reset workflow, which can be done via API or UI. Sending the OTP to an arbitrary email enables the attacker to complete a password reset or launch phishing attacks. Therefore, the overall risk is high, and prompt remediation is advisable.
OpenCVE Enrichment