CVE-2025-10761 is a vulnerability identified in Harness version 3.3.0, specifically affecting the login endpoint at /api/v1/login. The core issue is an improper restriction on excessive authentication attempts, meaning the system does not adequately limit the number of login attempts an attacker can make. This flaw allows an attacker to perform brute-force or credential-stuffing attacks remotely without triggering effective lockout mechanisms. The vulnerability is remotely exploitable without requiring any authentication or user interaction, but it has a high attack complexity, indicating that exploitation requires significant effort or specific conditions. The CVSS 4.0 base score is 6.3 (medium severity), reflecting that while the vulnerability can be exploited remotely, the impact on confidentiality, integrity, and availability is limited (only a low impact on confidentiality is noted). The vendor has been contacted but has not responded, and no patches or mitigations have been publicly released yet. The vulnerability disclosure is public, but no known exploits are currently observed in the wild. This vulnerability could allow attackers to gain unauthorized access to user accounts by repeatedly attempting passwords without effective rate limiting or lockout, potentially leading to account compromise if weak or reused credentials are present.

For European organizations using Harness 3.3.0, this vulnerability poses a risk of unauthorized access through brute-force attacks on user accounts. Although the impact on confidentiality is considered low, successful exploitation could lead to account takeover, exposing sensitive project deployment pipelines, configuration data, or other critical operational information managed through Harness. This could disrupt DevOps workflows, cause data leakage, or enable further lateral movement within the organization’s infrastructure. Given the medium severity and high attack complexity, the threat is moderate but should not be underestimated, especially in environments where multi-factor authentication is not enforced or where weak passwords are common. The lack of vendor response and absence of patches increases the risk window for European entities relying on this software. Additionally, organizations in regulated sectors (finance, healthcare, critical infrastructure) may face compliance and reputational risks if such an account compromise occurs.

European organizations should immediately audit their use of Harness 3.3.0 and consider the following mitigations: 1) Implement external rate limiting and account lockout policies at the network or application gateway level to prevent brute-force attempts against the login endpoint. 2) Enforce strong password policies and mandatory multi-factor authentication (MFA) for all users accessing Harness to reduce the risk of credential compromise. 3) Monitor authentication logs for unusual patterns indicative of brute-force or credential stuffing attacks and trigger alerts for investigation. 4) If feasible, isolate the Harness login endpoint behind VPNs or IP allowlists to restrict access to trusted networks. 5) Engage with the vendor or community to track any forthcoming patches or updates and plan for immediate deployment once available. 6) Consider upgrading to a later, unaffected version of Harness if available. 7) Conduct user awareness training on credential hygiene and phishing risks to reduce the likelihood of compromised credentials being used.