CVE-2025-41097 is an Insecure Direct Object Reference (IDOR) vulnerability identified in the BOLD Workplanner software developed by GLOBAL PLANNING SOLUTIONS S.L (GPS). This vulnerability affects versions prior to 2.5.25, specifically version 2.5.24 and earlier. The core issue stems from inadequate validation of user-supplied input, allowing authenticated users to bypass authorization controls by manipulating internal identifiers. This flaw enables unauthorized access to basic employee details that should otherwise be restricted. The vulnerability is classified under CWE-639, which relates to authorization bypass through user-controlled keys. The CVSS 4.0 base score is 7.1, indicating a high severity level. The vector details reveal that the attack can be performed remotely over the network (AV:N), requires low attack complexity (AC:L), no user interaction (UI:N), and only requires privileges of a logged-in user (PR:L). The vulnerability impacts confidentiality significantly (VC:H), but does not affect integrity or availability. No known exploits are currently reported in the wild, and no patches have been linked yet. The vulnerability was published on September 30, 2025, with the initial reservation date in April 2025. The lack of proper authorization checks means that an authenticated user can access employee data beyond their permission scope, potentially exposing sensitive personal or organizational information. This could lead to privacy violations, insider threat exploitation, or data leakage within organizations using the affected software.

For European organizations using BOLD Workplanner, this vulnerability poses a significant risk to employee data confidentiality. Unauthorized access to employee details can lead to privacy breaches, non-compliance with GDPR and other data protection regulations, and potential reputational damage. Organizations in sectors with strict data privacy requirements such as finance, healthcare, and government are particularly vulnerable. The exposure of employee information could facilitate social engineering attacks, insider threats, or unauthorized data harvesting. Since the vulnerability requires authenticated access, it could be exploited by malicious insiders or compromised user accounts, increasing the risk of lateral movement within the network. The absence of integrity or availability impact limits the scope to data confidentiality; however, the sensitivity of employee data makes this a critical concern. European organizations must consider the regulatory implications of unauthorized data access and the potential for fines or legal actions under GDPR if employee data is mishandled or leaked.

To mitigate this vulnerability, European organizations should prioritize upgrading BOLD Workplanner to version 2.5.25 or later once the vendor releases a patch. Until a patch is available, organizations should implement strict access controls and monitor user activities within the application to detect anomalous access patterns to employee data. Role-based access control (RBAC) policies should be reviewed and enforced to limit user permissions strictly to necessary data. Additionally, organizations can implement application-layer firewalls or web application firewalls (WAFs) with custom rules to detect and block suspicious requests that attempt to manipulate internal identifiers. Logging and auditing access to employee records should be enhanced to provide traceability in case of misuse. User education about the risks of credential compromise and insider threats can reduce the likelihood of exploitation. Finally, organizations should conduct regular security assessments and penetration tests focusing on authorization controls within BOLD Workplanner to identify and remediate similar weaknesses proactively.