CVE-2025-41099 is an authorization bypass vulnerability classified under CWE-639 (Authorization Bypass Through User-Controlled Key) affecting GLOBAL PLANNING SOLUTIONS S.L's BOLD Workplanner software versions prior to 2.5.25. The vulnerability arises due to an Insecure Direct Object Reference (IDOR) flaw where the application fails to properly validate user input related to internal identifiers. Specifically, authenticated users with limited privileges can manipulate these identifiers to gain unauthorized access to permission lists or other sensitive data that should be restricted. This bypass occurs without requiring elevated privileges beyond authentication, no user interaction is needed beyond login, and the vulnerability can be exploited remotely over the network. The CVSS 4.0 base score of 7.1 (high severity) reflects the network attack vector, low attack complexity, no privileges required beyond authentication, and a high impact on confidentiality due to unauthorized data access. The vulnerability does not affect integrity or availability directly but compromises sensitive permission data, which could facilitate further privilege escalation or lateral movement within affected environments. No known exploits are currently reported in the wild, and no patches have been linked yet, indicating organizations should prioritize mitigation and monitoring. The vulnerability was reserved in April 2025 and published in late September 2025, indicating recent discovery and disclosure.

For European organizations using BOLD Workplanner, this vulnerability poses a significant risk to confidentiality of internal permission structures and potentially sensitive operational data. Unauthorized access to permission lists can enable malicious insiders or compromised accounts to map out access controls, identify privileged accounts, and plan further attacks such as privilege escalation or data exfiltration. This is particularly critical for organizations relying on BOLD Workplanner for workforce and resource planning, where exposure of permissions could lead to manipulation of schedules, resource allocation, or operational disruptions. The lack of integrity or availability impact reduces risk of direct service disruption, but the confidentiality breach can indirectly affect business continuity and compliance with data protection regulations such as GDPR. European organizations must consider the regulatory implications of unauthorized data access and the potential reputational damage from such breaches.

1. Immediate upgrade to BOLD Workplanner version 2.5.25 or later once available, as this version addresses the vulnerability. 2. Until patching is possible, restrict access to BOLD Workplanner to trusted users only and enforce strict authentication and session management controls. 3. Implement network segmentation and access controls to limit exposure of the application to only necessary personnel and systems. 4. Monitor application logs for unusual access patterns, especially attempts to access unauthorized internal identifiers or permission lists. 5. Conduct internal audits of user permissions and roles to detect any anomalies or unauthorized privilege escalations. 6. Employ Web Application Firewalls (WAF) with custom rules to detect and block suspicious parameter tampering indicative of IDOR exploitation attempts. 7. Educate users about the risks of credential compromise and enforce strong password policies and multi-factor authentication to reduce risk of account takeover. 8. Coordinate with the vendor for timely updates and advisories regarding patches or workarounds.