CVE-2025-41096 is an Insecure Direct Object Reference (IDOR) vulnerability identified in the BOLD Workplanner software developed by GLOBAL PLANNING SOLUTIONS S.L (GPS). This vulnerability affects versions prior to 2.5.25, specifically version 2.5.24 and earlier. The core issue stems from inadequate validation of user-supplied input, allowing authenticated users to manipulate internal identifiers to gain unauthorized access to sensitive contract date details. The vulnerability is classified under CWE-639, which relates to authorization bypass through user-controlled keys. The CVSS v4.0 base score is 7.1, indicating a high severity level. The vector details reveal that the attack can be performed remotely over the network (AV:N) with low attack complexity (AC:L), does not require any privileges (PR:L) beyond authentication, and no user interaction (UI:N) is needed. The vulnerability impacts confidentiality (VC:H) but not integrity or availability. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability allows an attacker who is authenticated to bypass authorization controls and access contract-related date information that should be restricted, potentially exposing sensitive business data.

For European organizations using BOLD Workplanner, this vulnerability poses a significant risk to the confidentiality of contract-related information. Unauthorized access to contract dates could lead to business intelligence leaks, competitive disadvantages, or violations of data protection regulations such as GDPR if personal or sensitive data is involved. Since the vulnerability requires authentication but no elevated privileges, any compromised or legitimate user account could be leveraged to exploit this flaw, increasing the attack surface. The exposure of contract timelines could also facilitate further targeted attacks or fraud. Given the high severity and the nature of the data involved, organizations in sectors such as manufacturing, logistics, or project management that rely on BOLD Workplanner for scheduling and contract management are particularly at risk. The lack of known exploits in the wild provides a window for proactive mitigation, but the absence of a patch at the time of disclosure necessitates immediate compensating controls.

European organizations should immediately audit their BOLD Workplanner deployments to identify affected versions (prior to 2.5.25). Until an official patch is released, implement strict access controls and monitor authenticated user activities for unusual access patterns to contract data. Employ network segmentation to limit access to the Workplanner system only to necessary personnel. Enforce strong authentication mechanisms, including multi-factor authentication (MFA), to reduce the risk of compromised credentials being used to exploit this vulnerability. Additionally, conduct regular security training to raise awareness about the risks of credential misuse. Organizations should also engage with GLOBAL PLANNING SOLUTIONS S.L to obtain timely patches or updates and apply them promptly once available. Logging and alerting on access to sensitive contract information should be enhanced to detect potential exploitation attempts early.