CVE-2025-41093 is an authorization bypass vulnerability classified under CWE-639 (Authorization Bypass Through User-Controlled Key) found in the BOLD Workplanner software developed by GLOBAL PLANNING SOLUTIONS S.L (GPS). The vulnerability exists in versions prior to 2.5.25, where the application fails to adequately validate user-supplied input related to internal identifiers. This flaw allows an authenticated user to access contract details that should be restricted, by manipulating these identifiers (an IDOR vulnerability). The vulnerability is exploitable remotely over the network without user interaction or elevated privileges beyond authentication, making it relatively easy to exploit. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N) indicates high confidentiality impact with no impact on integrity or availability. Although no public exploits have been reported, the exposure of contract data could lead to information leakage, competitive disadvantage, or compliance violations. The lack of patch links suggests the vendor may not have released a public fix at the time of reporting, emphasizing the need for immediate mitigation steps. The vulnerability is particularly concerning for organizations relying on BOLD Workplanner for contract management, as unauthorized access to contract details could undermine business operations and trust.

For European organizations, this vulnerability poses a significant risk to the confidentiality of sensitive contract information managed within BOLD Workplanner. Unauthorized access to contract details can lead to exposure of commercially sensitive data, intellectual property, or personal data protected under GDPR, potentially resulting in regulatory penalties and reputational damage. Industries such as manufacturing, logistics, and professional services that rely on GPS BOLD Workplanner for resource and contract management are particularly vulnerable. The ease of exploitation (network accessible, low complexity, no user interaction) increases the likelihood of attacks, especially from insider threats or compromised user accounts. The impact is amplified in sectors where contract confidentiality is critical to competitive advantage or compliance. Additionally, unauthorized data access could facilitate further targeted attacks or social engineering campaigns. The absence of known exploits in the wild currently reduces immediate risk but does not eliminate the threat, as attackers may develop exploits rapidly once the vulnerability is public.

1. Upgrade BOLD Workplanner to version 2.5.25 or later as soon as the vendor releases a patch addressing CVE-2025-41093. 2. Until a patch is available, implement strict access control policies limiting authenticated user permissions to the minimum necessary, especially restricting access to contract-related functions. 3. Employ input validation and parameter filtering at the application or proxy level to detect and block unauthorized manipulation of internal identifiers. 4. Monitor application logs and access patterns for unusual activity indicative of IDOR exploitation attempts, such as access to contract IDs outside a user's scope. 5. Conduct regular security assessments and penetration testing focusing on authorization controls within BOLD Workplanner deployments. 6. Educate users about the risks of credential compromise and enforce strong authentication mechanisms, including multi-factor authentication, to reduce the risk of unauthorized access. 7. If feasible, isolate BOLD Workplanner instances within secure network segments to limit exposure. 8. Coordinate with the vendor for timely updates and advisories.