Description
ProjeQtor versions 7.0 through 12.4.3 contain a missing authorization vulnerability in the objectDetail.php endpoint that allows authenticated users with guest-level privileges to retrieve sensitive data belonging to other users including password hashes and API keys. Attackers can bypass access controls by directly accessing the endpoint without ownership or role-based validation to extract administrator credentials and perform privilege escalation.
Published: 2026-04-27
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation via Missing Authorization
Action: Apply Patch
AI Analysis

Impact

ProjeQtor versions 7.0 through 12.4.3 have a missing authorization flaw in the objectDetail.php endpoint that lets any authenticated user with guest permissions retrieve sensitive data belonging to other users, including password hashes and API keys. This flaw also enables attackers to obtain administrator credentials, enabling privilege escalation. The weakness is an Authentication Bypass (CWE‑862).

Affected Systems

The affected products are ProjeQtor, a software project management platform, specifically versions 7.0 to 12.4.3. All installations of these versions run the vulnerable objectDetail.php endpoint.

Risk and Exploitability

The CVSS score is 7.1, indicating a high severity of vulnerability. Although a precise EPSS score is unavailable, the lack of a KEV listing suggests no publicly disclosed exploit yet. Attackers require authentication with guest‑level access, so the risk is primarily internal or on networks where legitimate users have guest accounts. If the endpoint is reachable, an attacker can easily retrieve privileged data and elevate privileges.

Generated by OpenCVE AI on April 28, 2026 at 04:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to ProjeQtor v12.4.4 or later to remove the missing authorization bug.
  • Restrict guest‑level users from accessing the objectDetail.php endpoint by adjusting role permissions or removing guest roles.
  • Monitor audit logs for unexpected calls to objectDetail.php and enforce least privilege for all users.

Generated by OpenCVE AI on April 28, 2026 at 04:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 29 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 28 Apr 2026 03:00:00 +0000

Type Values Removed Values Added
First Time appeared Projeqtor
Projeqtor projeqtor
Vendors & Products Projeqtor
Projeqtor projeqtor

Mon, 27 Apr 2026 15:30:00 +0000

Type Values Removed Values Added
Description ProjeQtor versions 7.0 through 12.4.3 contain a missing authorization vulnerability in the objectDetail.php endpoint that allows authenticated users with guest-level privileges to retrieve sensitive data belonging to other users including password hashes and API keys. Attackers can bypass access controls by directly accessing the endpoint without ownership or role-based validation to extract administrator credentials and perform privilege escalation.
Title ProjeQtor < 12.4.4 Missing Authorization via objectDetail.php
Weaknesses CWE-862
References
Metrics cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 7.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Projeqtor Projeqtor
cve-icon MITRE

Status: PUBLISHED

Assigner: VulnCheck

Published:

Updated: 2026-05-14T02:09:48.674Z

Reserved: 2026-04-20T16:07:47.310Z

Link: CVE-2026-41464

cve-icon Vulnrichment

Updated: 2026-04-29T13:54:41.592Z

cve-icon NVD

Status : Deferred

Published: 2026-04-27T16:16:45.647

Modified: 2026-04-27T18:35:53.583

Link: CVE-2026-41464

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T04:30:21Z

Weaknesses