CVE-2025-67796 - Vulnerability Details

- Improper Authorization Allows Cross‑Tenant Data Access in IKUS Rdiffweb

Description

IKUS Rdiffweb before 2.10.5 has an improper authorization flaw that allows an attacker with any valid or stolen access token to act as other users. The API does not enforce binding between the authenticated subject and the targeted user/tenant, so crafted requests can read or modify other users data and, in some cases, perform privileged actions. This issue may enable cross-tenant access. Fixed in version 2.10.6.

Published: 2026-05-04

Score: 8.1 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability in IKUS Rdiffweb prior to version 2.10.5 is an improper authorization flaw. The API does not bind the authenticated subject to the targeted user or tenant, allowing an attacker who possesses any valid or stolen access token to impersonate other users. This capability enables reading or modifying other users’ data and, in some cases, performing privileged actions that may affect entire tenants.

Affected Systems

Systems running IKUS Rdiffweb versions earlier than 2.10.5 are impacted. The issue has been addressed in version 2.10.6 and later releases.

Risk and Exploitability

Exploitation requires possession of a valid or compromised token. The likely attack vector is through crafted API requests sent over the network, which bypass all authorization checks. With a CVSS score of 8.1 and an EPSS score of < 1%, the risk is significant, especially when an attacker gains token access. The vulnerability is not listed in CISA’s KEV catalog. The straightforward exploitation path implies a real threat when an attacker owns a token, enabling full access to the data and operations of any affected tenant.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

n/a

affected

Version	Status	Constraints
`n/a`	affected	—

No data.

Vendor Product Confidence Versions

Ikus-soft

Rdiffweb

80%

Version	Status	Scheme	Platform
`[0,2.10.6)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade to version 2.10.6 or later to ensure proper authorization checks are enforced.
Invalidate any suspected or compromised access tokens and issue fresh tokens to legitimate users.
Review and monitor API usage for anomalous cross‑tenant activity to detect potential abuse of valid tokens.

Generated by OpenCVE AI on May 5, 2026 at 18:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-v4gp-hf5j-4566	IKUS Rdiffweb allows an attacker with any valid or stolen access token to act as other users

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0003.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://gitlab.com/ikus-soft/rdiffweb
https://gitlab.com/ikus-soft/rdiffweb#2106-2025-10-02

History

Tue, 05 May 2026 19:15:00 +0000

Type	Values Removed	Values Added
Title		Improper Authorization Allows Cross‑Tenant Data Access in IKUS Rdiffweb

Tue, 05 May 2026 17:45:00 +0000

Type	Values Removed	Values Added
Title	Improper Authorization in IKUS Rdiffweb Allows Cross‑Tenant Access
Weaknesses	CWE-285

Tue, 05 May 2026 15:15:00 +0000

Type	Values Removed	Values Added
Weaknesses		CWE-284
Metrics		cvssV3_1 `{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Mon, 04 May 2026 20:45:00 +0000

Type	Values Removed	Values Added
Title		Improper Authorization in IKUS Rdiffweb Allows Cross‑Tenant Access
First Time appeared		Ikus-soft Ikus-soft rdiffweb
Weaknesses		CWE-285
Vendors & Products		Ikus-soft Ikus-soft rdiffweb

Mon, 04 May 2026 19:30:00 +0000

Type	Values Removed	Values Added
Description		IKUS Rdiffweb before 2.10.5 has an improper authorization flaw that allows an attacker with any valid or stolen access token to act as other users. The API does not enforce binding between the authenticated subject and the targeted user/tenant, so crafted requests can read or modify other users data and, in some cases, perform privileged actions. This issue may enable cross-tenant access. Fixed in version 2.10.6.
References		https://gitlab.com/ikus-soft/rdiffweb https://gitlab.com/ikus-soft/rdiffweb#2106-2025-10-02

Subscriptions

Ikus-soft Rdiffweb

MITRE

Status: PUBLISHED

Assigner: mitre

Published: 2026-05-04T00:00:00.000Z

Updated: 2026-05-05T15:06:54.781Z

Reserved: 2025-12-12T00:00:00.000Z

Link: CVE-2025-67796

Vulnrichment

Updated: 2026-05-05T15:06:34.818Z

NVD

Status : Awaiting Analysis

Published: 2026-05-04T20:16:16.260

Modified: 2026-05-07T15:53:49.717

Link: CVE-2025-67796

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-05T19:00:12Z

Weaknesses

CWE-284

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object