CVE-2025-41099 is an authorization bypass vulnerability classified under CWE-639, specifically an Insecure Direct Object Reference (IDOR) in the BOLD Workplanner software developed by GLOBAL PLANNING SOLUTIONS S.L (GPS). The flaw exists in versions prior to 2.5.25, where the application fails to adequately validate user input related to internal identifiers used to access permission lists. An authenticated user can exploit this vulnerability by manipulating these user-controlled keys to gain unauthorized access to permission data that should be restricted. This bypass does not require elevated privileges beyond authentication, nor does it require user interaction, making it easier to exploit remotely over the network. The vulnerability impacts confidentiality by exposing sensitive permission information, which could be leveraged for further attacks or privilege escalation. The CVSS 4.0 vector indicates network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:L), no user interaction (UI:N), and high confidentiality impact (VC:H). No known exploits have been reported in the wild as of the publication date. The vulnerability highlights a critical weakness in access control mechanisms within the BOLD Workplanner platform, necessitating immediate remediation to prevent unauthorized data disclosure and potential downstream security risks.

For European organizations, this vulnerability poses a significant risk to the confidentiality of sensitive permission data within BOLD Workplanner deployments. Unauthorized access to permission lists can enable attackers or malicious insiders to map out user privileges, identify high-value targets, and potentially plan further privilege escalation or lateral movement within the network. This is particularly concerning for organizations relying on BOLD Workplanner for critical planning and scheduling functions, such as manufacturing, logistics, or infrastructure management. Exposure of permission data could lead to operational disruptions if attackers leverage the information to manipulate workflows or gain unauthorized control. Additionally, regulatory compliance risks arise under GDPR and other data protection laws if unauthorized access leads to personal or sensitive data exposure. The network-based exploitability and lack of required user interaction increase the likelihood of exploitation, especially in environments where authentication controls are weak or compromised. Although no active exploits are currently known, the high CVSS score and nature of the vulnerability warrant urgent attention to prevent potential future attacks.

1. Upgrade BOLD Workplanner to version 2.5.25 or later immediately, as this version addresses the authorization validation flaw. 2. Implement strict server-side validation of all user-controlled input, especially internal identifiers used for access control decisions, to ensure users can only access resources they are authorized for. 3. Conduct a thorough audit of permission and access control configurations within BOLD Workplanner to detect and remediate any unauthorized access paths. 4. Enforce strong authentication mechanisms, such as multi-factor authentication (MFA), to reduce the risk of compromised credentials being used to exploit this vulnerability. 5. Monitor logs and network traffic for unusual access patterns or attempts to access unauthorized permission lists. 6. Restrict network access to the BOLD Workplanner application to trusted internal networks or VPNs to limit exposure. 7. Educate users about the importance of safeguarding their credentials and reporting suspicious activity promptly. 8. Coordinate with GPS vendor support for any additional patches or security advisories related to this vulnerability.