CVE-2025-11239 is a vulnerability classified under CWE-863 (Incorrect Authorization) affecting KNIME Business Hub versions prior to 1.16.0. The issue arises from improper access control mechanisms within the platform, where sensitive information contained in jobs was accessible to all members of a user's team rather than being restricted solely to the job creator. This exposure includes potentially sensitive in- and output data associated with the jobs. Starting with version 1.16.0, KNIME addressed this vulnerability by limiting team members' visibility to only metadata of jobs, ensuring that only the creator can access full job details and data. The vulnerability has a CVSS 4.0 base score of 2.3, indicating a low severity level. The vector indicates that the attack vector is network-based (AV:N), with low attack complexity (AC:L), requiring privileges (PR:L) but no user interaction (UI:N). The vulnerability impacts confidentiality to a limited extent (VC:L) but does not affect integrity or availability. No known exploits are reported in the wild. The root cause is an authorization flaw where team members could view sensitive job data without proper permission checks. This could lead to unauthorized disclosure of sensitive business or analytical data processed within KNIME workflows, potentially exposing proprietary or confidential information to unintended internal users. However, the impact is limited to users within the same team, and exploitation requires at least low-level privileges within the platform.

For European organizations using KNIME Business Hub, particularly those handling sensitive or proprietary data in their data analytics workflows, this vulnerability could lead to unauthorized internal data exposure. While the risk is limited to team members within the same organizational unit, this could still result in breaches of confidentiality, especially in regulated industries such as finance, healthcare, or critical infrastructure where data privacy is paramount. The exposure of input and output data from analytical jobs could reveal sensitive business insights, personal data, or intellectual property. Given the low CVSS score and the requirement for at least low-level privileges, the threat is moderate but should not be ignored. Organizations with collaborative teams using KNIME Business Hub versions prior to 1.16.0 should be aware of the risk of insider data leaks or accidental data exposure. The vulnerability does not impact system availability or integrity, so operational disruption is unlikely. However, compliance with GDPR and other European data protection regulations may be affected if sensitive personal data is exposed internally without proper authorization controls.

European organizations should upgrade KNIME Business Hub to version 1.16.0 or later, where the authorization model has been corrected to restrict sensitive job data visibility to the job creator only. Until the upgrade is applied, organizations should implement strict access controls at the team level, limiting membership to trusted users and minimizing the number of users with low-level privileges who can access job data. Additionally, organizations should audit existing job data exposure within teams to identify any sensitive information that may have been improperly shared. Implementing monitoring and alerting on unusual access patterns to job data can help detect potential misuse. Training and awareness for users about the sensitivity of job data and the importance of access controls within KNIME Business Hub are also recommended. Finally, organizations should review internal policies to ensure that data sharing within teams complies with data protection requirements and consider encrypting sensitive data inputs and outputs where feasible.