CVE-2025-41111 is a missing authorization vulnerability classified under CWE-862 found in the CanalDenuncia.app platform, specifically in the API endpoint '/backend/api/buscarComentariosByDenuncia.php'. The vulnerability arises because the application fails to verify whether the requesting user is authorized to access the data associated with the 'id_denuncia' parameter. An attacker can send a crafted POST request with arbitrary 'id_denuncia' values to retrieve comments or information tied to other users' reports without any authentication or privileges. The vulnerability has a CVSS 4.0 base score of 8.7, indicating high severity due to its network attack vector, lack of required authentication, and the high impact on confidentiality. The flaw does not affect integrity or availability but exposes sensitive user information, potentially including whistleblower reports or complaints, which can lead to privacy violations and reputational damage. No patches or fixes have been published yet, and no exploits are known in the wild, but the vulnerability's simplicity and severity make it a critical risk. The issue was reserved in April 2025 and published in November 2025 by INCIBE, highlighting the need for urgent attention by CanalDenuncia.app users and administrators.

For European organizations, this vulnerability poses a significant risk to the confidentiality of sensitive information submitted through CanalDenuncia.app, which is often used for whistleblowing or reporting misconduct. Unauthorized data access can lead to privacy breaches, regulatory non-compliance with GDPR, and loss of trust from users and stakeholders. Organizations relying on CanalDenuncia.app for compliance or internal reporting may face legal and financial consequences if sensitive data is exposed. The vulnerability's ease of exploitation without authentication increases the likelihood of attacks, potentially by malicious insiders or external threat actors. Additionally, the exposure of whistleblower information can deter reporting and undermine organizational transparency. The lack of patches means organizations must rely on compensating controls until a fix is available. This threat is particularly impactful in sectors with strict data protection requirements such as finance, healthcare, and government institutions across Europe.

1. Immediately implement strict access control mechanisms on the '/backend/api/buscarComentariosByDenuncia.php' endpoint to ensure that only authorized users can query data related to their own 'id_denuncia'. 2. Introduce robust authorization checks in the backend to validate user permissions before returning any data. 3. Employ input validation and parameter sanitization to prevent unauthorized parameter manipulation. 4. Enable detailed logging and monitoring of API requests to detect unusual access patterns or attempts to access other users' data. 5. If possible, restrict API access via network segmentation or VPNs to trusted users only until a patch is released. 6. Conduct a thorough security audit of the entire CanalDenuncia.app codebase to identify and remediate similar authorization issues. 7. Educate users and administrators about the risk and encourage reporting of suspicious activity. 8. Coordinate with the vendor for timely patch deployment once available. 9. Consider deploying Web Application Firewalls (WAF) with custom rules to block suspicious POST requests targeting the vulnerable endpoint. 10. Review and update privacy policies and incident response plans to prepare for potential data breach scenarios.