CVE-2024-28087 identifies an IDOR vulnerability in the Bonitasoft runtime Community edition stemming from the lack of dynamic permissions enforcement. Dynamic permissions, which control fine-grained access to resources, were initially exclusive to the Subscription edition but have recently been reintroduced in the Community edition without customization capabilities. This means that access control checks are insufficiently granular, allowing attackers to directly reference and access objects or resources they should not be authorized to use. The vulnerability does not require authentication or user interaction and can be exploited remotely over the network, as indicated by the CVSS vector (AV:N/AC:L/PR:N/UI:N). The impact primarily affects confidentiality and integrity, as unauthorized data access or modification is possible, but availability remains unaffected. The vulnerability is categorized under CWE-284, which involves improper access control mechanisms. No patches or known exploits have been reported yet, but the presence of this vulnerability in an open-source community edition could attract attackers targeting organizations using this BPM (Business Process Management) platform. The lack of customizable dynamic permissions limits administrators' ability to tailor access controls to their environment, increasing risk exposure.

The vulnerability allows unauthorized users to access or manipulate sensitive objects within the Bonitasoft runtime Community edition, potentially exposing confidential business process data or enabling unauthorized modifications. This can lead to data leakage, unauthorized data manipulation, and potential disruption of business workflows. Organizations relying on Bonitasoft for critical process automation may face risks to data integrity and confidentiality, which could impact compliance with data protection regulations. Although availability is not directly affected, the breach of confidentiality and integrity could undermine trust in the platform and cause operational disruptions. Since the vulnerability requires no authentication and can be exploited remotely, the attack surface is broad, especially for publicly accessible deployments. The lack of customizable permissions further exacerbates the risk by limiting mitigation options within the affected edition.

Organizations should immediately review their use of Bonitasoft runtime Community edition and restrict its exposure to untrusted networks to reduce attack surface. Network-level controls such as firewalls and VPNs should be employed to limit access to the application. Administrators should monitor for unusual access patterns or unauthorized data access attempts. Since no official patches are currently available, consider upgrading to the Subscription edition if dynamic permissions and customizable access controls are critical for security. Alternatively, implement compensating controls such as application-layer proxies or custom access control mechanisms to enforce stricter permission checks. Stay alert for vendor advisories and apply patches promptly once released. Conduct regular security assessments and penetration tests focusing on access control weaknesses. Finally, educate developers and administrators about the risks of IDOR vulnerabilities and the importance of fine-grained access control.