CVE-2025-41094 is an Insecure Direct Object Reference (IDOR) vulnerability identified in the BOLD Workplanner product developed by GLOBAL PLANNING SOLUTIONS S.L (GPS). This vulnerability affects versions prior to 2.5.25, specifically version 2.5.24 and earlier. The core issue arises from insufficient validation of user input, which allows an authenticated user to access functional contract details by manipulating internal identifiers that they should not be authorized to view. This is classified under CWE-639, which pertains to authorization bypass through user-controlled keys. The vulnerability does not require user interaction and can be exploited remotely over the network without elevated privileges beyond authentication. The CVSS 4.0 base score is 7.1 (high severity), reflecting the network attack vector, low attack complexity, no privileges required beyond authentication, and no user interaction needed. The impact is primarily on confidentiality, as unauthorized users can access sensitive contract information that should be restricted. There is no indication of integrity or availability impact. No known exploits are currently reported in the wild, and no patches or mitigations have been linked yet. The vulnerability was reserved in April 2025 and published in September 2025, indicating recent discovery and disclosure. The lack of proper authorization checks on internal identifiers means that an attacker with valid credentials can enumerate or guess identifiers to retrieve data belonging to other users or contracts, potentially exposing sensitive business information.

For European organizations using BOLD Workplanner, this vulnerability poses a significant risk to the confidentiality of sensitive contract data. Unauthorized access to contract details could lead to exposure of proprietary business information, client data, pricing, and negotiation terms. This could result in competitive disadvantage, reputational damage, and potential regulatory non-compliance, especially under GDPR where unauthorized access to personal or business data is a serious concern. The impact is heightened for organizations in sectors with strict confidentiality requirements such as finance, legal, and government contractors. Since the vulnerability requires authentication but no elevated privileges, any compromised or insider user account could be leveraged to exploit this flaw. The absence of known exploits in the wild suggests limited immediate threat, but the ease of exploitation and high impact make it a critical issue to address promptly. The vulnerability does not affect system availability or integrity directly but could be a stepping stone for further attacks or data leakage.

Organizations should prioritize upgrading BOLD Workplanner to version 2.5.25 or later once available, as this is expected to include the necessary authorization checks to fix the IDOR vulnerability. Until a patch is applied, implement strict access controls and monitoring on user accounts with access to the Workplanner system. Employ logging and alerting to detect unusual access patterns or attempts to access unauthorized contract identifiers. Conduct a thorough review of user permissions to ensure the principle of least privilege is enforced, limiting authenticated users to only the data necessary for their role. Consider implementing additional application-layer controls such as web application firewalls (WAFs) with custom rules to detect and block suspicious parameter tampering indicative of IDOR exploitation attempts. Regularly audit and rotate user credentials to reduce the risk of compromised accounts. Engage with the vendor for timely updates and security advisories. Finally, educate users about the importance of safeguarding their credentials to prevent unauthorized access.