Description
IKUS Rdiffweb before 2.10.5 has an improper authorization flaw that allows an attacker with any valid or stolen access token to act as other users. The API does not enforce binding between the authenticated subject and the targeted user/tenant, so crafted requests can read or modify other users data and, in some cases, perform privileged actions. This issue may enable cross-tenant access. Fixed in version 2.10.6.
Published: 2026-05-04
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability in IKUS Rdiffweb prior to version 2.10.5 is an improper authorization flaw. The API does not bind the authenticated subject to the targeted user or tenant, allowing an attacker who possesses any valid or stolen access token to impersonate other users. This capability enables reading or modifying other users’ data and, in some cases, performing privileged actions that may affect entire tenants.

Affected Systems

Systems running IKUS Rdiffweb versions earlier than 2.10.5 are impacted. The issue has been addressed in version 2.10.6 and later releases.

Risk and Exploitability

Exploitation requires possession of a valid or compromised token. Attackers can craft API requests over the network to other users or tenants, bypassing all authorization checks. Although no CVSS score or EPSS value is available and the vulnerability is not listed in CISA’s KEV catalog, the impact is high: an attacker can acquire full access to the data and operations of any tenant for which they hold a token. The straightforward exploitation path implies a real threat when an attacker gains token access.

Generated by OpenCVE AI on May 4, 2026 at 20:28 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to version 2.10.6 or later to ensure proper authorization checks are enforced.
  • Invalidate any suspected or compromised access tokens and issue fresh tokens to legitimate users.
  • Review and monitor API usage for anomalous cross‑tenant activity to detect potential abuse of valid tokens.

Generated by OpenCVE AI on May 4, 2026 at 20:28 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 04 May 2026 20:45:00 +0000

Type Values Removed Values Added
Title Improper Authorization in IKUS Rdiffweb Allows Cross‑Tenant Access
First Time appeared Ikus-soft
Ikus-soft rdiffweb
Weaknesses CWE-285
Vendors & Products Ikus-soft
Ikus-soft rdiffweb

Mon, 04 May 2026 19:30:00 +0000

Type Values Removed Values Added
Description IKUS Rdiffweb before 2.10.5 has an improper authorization flaw that allows an attacker with any valid or stolen access token to act as other users. The API does not enforce binding between the authenticated subject and the targeted user/tenant, so crafted requests can read or modify other users data and, in some cases, perform privileged actions. This issue may enable cross-tenant access. Fixed in version 2.10.6.
References

Subscriptions

Ikus-soft Rdiffweb
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-04T18:49:37.072Z

Reserved: 2025-12-12T00:00:00.000Z

Link: CVE-2025-67796

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-04T20:16:16.260

Modified: 2026-05-04T20:16:16.260

Link: CVE-2025-67796

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-04T20:30:08Z

Weaknesses