CVE-2025-41095 is a high-severity authorization bypass vulnerability classified under CWE-639 (Authorization Bypass Through User-Controlled Key) affecting the BOLD Workplanner product developed by GLOBAL PLANNING SOLUTIONS S.L (GPS). The vulnerability exists in versions prior to 2.5.25, specifically identified in version 2.5.24. It is an Insecure Direct Object Reference (IDOR) flaw caused by insufficient validation of user input when accessing internal planning counter details. An authenticated user with legitimate access to the system can manipulate internal identifiers (keys) to gain unauthorized access to planning counter details that they should not be able to view or modify. This bypasses the intended authorization controls, potentially exposing sensitive planning data. The vulnerability does not require user interaction and can be exploited remotely over the network without elevated privileges beyond authenticated user status. The CVSS v4.0 base score is 7.1, indicating a high severity level. The attack vector is network-based with low attack complexity and no privileges beyond authentication are required. The vulnerability impacts confidentiality significantly (high impact on confidentiality), but does not affect integrity or availability. No known exploits are currently reported in the wild, and no patches or mitigation links have been published at the time of reporting. The root cause is inadequate server-side validation of user-supplied keys used to reference internal objects, a common IDOR pattern. This vulnerability can lead to unauthorized disclosure of sensitive planning information, which may include scheduling, resource allocation, or other operational data managed by the BOLD Workplanner platform.

For European organizations using BOLD Workplanner, this vulnerability poses a significant risk to the confidentiality of internal planning and scheduling data. Unauthorized access to planning counter details could lead to exposure of sensitive operational information, potentially undermining business processes, competitive advantage, and compliance with data protection regulations such as GDPR. In sectors where planning data is critical—such as manufacturing, logistics, transportation, and utilities—this could disrupt operational security and strategic planning. Although the vulnerability does not directly impact system integrity or availability, the unauthorized disclosure of sensitive information can facilitate further attacks or insider threats. Additionally, organizations may face regulatory and reputational damage if sensitive data is exposed due to inadequate access controls. The lack of known exploits currently limits immediate risk, but the ease of exploitation once authenticated means insider threats or compromised credentials could be leveraged to exploit this flaw.

1. Immediate upgrade to BOLD Workplanner version 2.5.25 or later once available, as this version addresses the vulnerability by implementing proper validation of user-controlled keys. 2. Until patching is possible, restrict access to the BOLD Workplanner application to trusted users only and enforce strong authentication mechanisms, including multi-factor authentication (MFA), to reduce risk of credential compromise. 3. Implement strict monitoring and logging of access to planning counter details to detect anomalous access patterns indicative of exploitation attempts. 4. Conduct a thorough review of user permissions and roles within the application to ensure least privilege principles are enforced, minimizing the number of users with access to sensitive planning data. 5. If feasible, apply web application firewall (WAF) rules to detect and block suspicious requests attempting to manipulate internal identifiers. 6. Educate users about the importance of safeguarding credentials and recognizing potential insider threat behaviors. 7. Coordinate with the vendor for timely receipt of patches and security advisories.