CVE-2025-13829 is an incorrect authorization vulnerability (CWE-863) identified in Data Illusion Zumbrunn's NGSurvey product, specifically affecting version 0. The flaw allows any authenticated user to retrieve private information belonging to other users without proper authorization checks. The compromised data includes highly sensitive credentials such as API keys that grant one-year user sessions, refresh tokens valid for 10 minutes, bcrypt-hashed passwords, user IP addresses, email addresses, and full names. The vulnerability requires no user interaction and can be exploited remotely over the network with low attack complexity and no privileges beyond a valid login session. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N/AU:Y) indicates network attack vector, low complexity, no attack or user interaction needed, partial impact on confidentiality and integrity, and requires authentication. Although no public exploits are currently known, the exposure of long-lived API keys and refresh tokens significantly increases the risk of session hijacking and lateral movement within affected environments. The vulnerability undermines the confidentiality and integrity of user data and could lead to unauthorized access, data leakage, and potential privilege escalation. The lack of available patches necessitates immediate compensating controls and monitoring.

For European organizations, this vulnerability presents a critical risk to user privacy and data security, especially for entities relying on NGSurvey for sensitive data collection and analysis. Exposure of API keys and refresh tokens can enable attackers to impersonate users or maintain persistent access, leading to data breaches and compliance violations under GDPR. The disclosure of bcrypt-hashed passwords, while hashed, still poses a risk if attackers can perform offline cracking attempts. The leakage of personal identifiable information (PII) such as emails, full names, and IP addresses can facilitate targeted phishing, social engineering, and further attacks. Organizations may suffer reputational damage, regulatory penalties, and operational disruptions. The vulnerability's ease of exploitation and broad impact on confidentiality and integrity make it a significant threat to European companies, especially those in sectors like research, healthcare, and government that handle sensitive survey data.

1. Immediately restrict access to NGSurvey to trusted users and networks until a patch is available. 2. Implement strict role-based access control (RBAC) and enforce least privilege principles to limit user permissions. 3. Conduct thorough code reviews and add robust authorization checks to ensure users can only access their own data. 4. Rotate all API keys and refresh tokens to invalidate potentially compromised credentials. 5. Enhance monitoring and logging to detect unusual access patterns or data exfiltration attempts. 6. Educate users about phishing risks that may arise from leaked PII. 7. If possible, isolate NGSurvey instances and segment networks to contain potential breaches. 8. Engage with the vendor for timely patch releases and apply updates promptly once available. 9. Consider multi-factor authentication (MFA) to reduce the risk of unauthorized access using stolen credentials. 10. Perform regular penetration testing and vulnerability assessments focusing on authorization controls.