CVE-2025-41091 is an authorization bypass vulnerability classified under CWE-639 (Authorization Bypass Through User-Controlled Key) affecting BOLD Workplanner, a scheduling and resource planning software developed by GLOBAL PLANNING SOLUTIONS S.L. The flaw exists in versions prior to 2.5.25, specifically version 2.5.24 and earlier. It arises from insufficient validation of user-supplied input, allowing authenticated users to manipulate internal identifiers (keys) to access calendar details that they are not authorized to view. This type of vulnerability is commonly known as an Insecure Direct Object Reference (IDOR). The vulnerability can be exploited remotely over the network without requiring user interaction or elevated privileges beyond authentication. The CVSS 4.0 score of 7.1 indicates a high severity, with attack vector being network-based, low attack complexity, no privileges required beyond authentication, and no user interaction needed. The impact is primarily on confidentiality, as unauthorized users can access sensitive calendar information, potentially exposing private scheduling data or business-critical timelines. No known exploits have been reported in the wild as of the publication date (September 30, 2025), but the vulnerability poses a significant risk to organizations relying on BOLD Workplanner for internal planning and scheduling. The lack of a patch link suggests that a fix may be pending or recently released. Given the nature of the vulnerability, attackers could leverage this flaw to gather intelligence or disrupt operational confidentiality.

For European organizations, the impact of CVE-2025-41091 is primarily the unauthorized disclosure of sensitive calendar and scheduling information. This can lead to exposure of confidential business plans, employee schedules, or project timelines, which could be exploited for competitive intelligence, social engineering, or operational disruption. Organizations in sectors such as manufacturing, logistics, healthcare, and critical infrastructure that rely heavily on resource planning tools like BOLD Workplanner are particularly vulnerable. The breach of confidentiality could also lead to regulatory non-compliance under GDPR if personal data is exposed, resulting in potential fines and reputational damage. Since the vulnerability requires authentication but no user interaction, insider threats or compromised credentials could be leveraged to exploit this flaw at scale. The absence of known exploits in the wild currently reduces immediate risk but does not eliminate the potential for targeted attacks, especially in high-value environments.

European organizations should implement the following specific mitigations: 1) Upgrade BOLD Workplanner to version 2.5.25 or later as soon as the patch becomes available to remediate the vulnerability. 2) Until patching is possible, enforce strict access controls and role-based permissions to limit authenticated users’ ability to access calendar data beyond their scope. 3) Implement input validation and monitoring on internal identifier parameters to detect and block unauthorized access attempts. 4) Conduct regular audits of user access logs to identify anomalous or suspicious activity indicative of exploitation attempts. 5) Employ multi-factor authentication (MFA) to reduce the risk of credential compromise that could facilitate exploitation. 6) Educate users about the risks of credential sharing and phishing to minimize insider threat vectors. 7) Coordinate with the vendor for timely updates and security advisories. 8) Consider network segmentation to isolate critical scheduling systems from broader network access.