Description
eLabFTW is an open source electronic lab notebook. Prior to version 5.4.2, in certain cases, an authenticated user performing a numeric reference/search can return results that include resources the requesting user is not authorized to view. The exposed information is limited (only the title). Attempts to access the underlying protected resource content remain blocked by authorization checks. Version 5.4.2 fixes the issue.

# Affected Scope

Cross-scope visibility of titles.
No confirmed bypass of content-level access controls

# Preconditions

An authenticated user account

No special privileges required beyond standard access

# Impact

This may enable unauthorized disclosure of sensitive information if confidential data is included in resource titles. Examples could include project names, patient identifiers, or other regulated information embedded in titles.
Published: 2026-06-01
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is an information disclosure flaw caused by an autocompletion search feature that reveals the titles of protected resources to authenticated users who do not have permission to view the full content. Only the title is exposed, but if a title contains sensitive or regulated data—such as project names or patient identifiers—the confidentiality of that information is at risk. The weakness is identified as CWE‑200.

Affected Systems

The flaw affects installations of eLabFTW, an open‑source electronic lab notebook, in versions older than 5.4.2. Users of any standard authenticated account are subject to the impact; no special privileges are required.

Risk and Exploitability

The CVSS score of 4.3 indicates a moderate severity, while the EPSS score is not available and the vulnerability is not listed in CISA KEV, suggesting a lower exploitation likelihood. However, the attack vector is authenticated, meaning any logged‑in user could perform a numeric reference/search that triggers the autocompletion and leaks titles. Because the underlying content remains protected by authorization checks, the impact is limited to disclosure of titles only, but the presence of sensitive data in titles could still be a serious privacy concern.

Generated by OpenCVE AI on June 1, 2026 at 23:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the eLabFTW installation to version 5.4.2 or later, which implements the fix for title leakage.
  • After upgrading, audit and, if necessary, sanitize existing entry titles to remove or obfuscate any confidential or regulated information they may contain.
  • If an immediate upgrade is not possible, disable or restrict the autocompletion search feature until the update can be applied to prevent cross‑scope title visibility.

Generated by OpenCVE AI on June 1, 2026 at 23:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 02 Jun 2026 16:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 02 Jun 2026 01:15:00 +0000

Type Values Removed Values Added
First Time appeared Elabftw
Elabftw elabftw
Vendors & Products Elabftw
Elabftw elabftw

Mon, 01 Jun 2026 22:30:00 +0000

Type Values Removed Values Added
Description eLabFTW is an open source electronic lab notebook. Prior to version 5.4.2, in certain cases, an authenticated user performing a numeric reference/search can return results that include resources the requesting user is not authorized to view. The exposed information is limited (only the title). Attempts to access the underlying protected resource content remain blocked by authorization checks. Version 5.4.2 fixes the issue. # Affected Scope Cross-scope visibility of titles. No confirmed bypass of content-level access controls # Preconditions An authenticated user account No special privileges required beyond standard access # Impact This may enable unauthorized disclosure of sensitive information if confidential data is included in resource titles. Examples could include project names, patient identifiers, or other regulated information embedded in titles.
Title elabftw has entry title leakage through autocompletion search
Weaknesses CWE-200
References
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Subscriptions

Elabftw Elabftw
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-02T15:55:36.029Z

Reserved: 2026-02-27T20:57:47.710Z

Link: CVE-2026-28511

cve-icon Vulnrichment

Updated: 2026-06-02T15:54:22.229Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-01T23:16:22.080

Modified: 2026-06-02T13:56:25.773

Link: CVE-2026-28511

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-02T01:00:11Z

Weaknesses