CVE-2025-41113 identifies a missing authorization vulnerability (CWE-862) in the CanalDenuncia.app platform, specifically in the backend API endpoint '/backend/api/buscarDenunciaByPin.php'. The vulnerability arises because the application fails to verify that the user making a POST request with the 'id_denuncia' parameter is authorized to access the corresponding complaint or report data. This lack of access control allows any attacker, without authentication or user interaction, to retrieve sensitive information belonging to other users simply by supplying different 'id_denuncia' values. The vulnerability affects version 0 of the product and was published on November 4, 2025. The CVSS v4.0 base score is 8.7, reflecting a high severity due to network attack vector, no required privileges or user interaction, and a high impact on confidentiality. The vulnerability does not affect integrity or availability but compromises sensitive data confidentiality, which is critical in whistleblowing or complaint management systems. No patches or known exploits are currently available, but the flaw's simplicity and impact make it a significant threat. The vulnerability was assigned by INCIBE, indicating recognition by a European cybersecurity authority. The absence of authorization checks in a sensitive application like CanalDenuncia.app could lead to unauthorized data disclosure, violating privacy regulations such as GDPR and undermining trust in whistleblower protection mechanisms.

The primary impact of CVE-2025-41113 is the unauthorized disclosure of sensitive user information managed by CanalDenuncia.app. For European organizations, this can lead to severe privacy breaches, especially since whistleblowing platforms often handle confidential and legally sensitive reports. Exposure of such data can result in reputational damage, loss of stakeholder trust, and potential legal penalties under GDPR and other data protection laws. The vulnerability's exploitation requires no authentication, making it accessible to any remote attacker, increasing the risk of widespread data leaks. Additionally, the breach of whistleblower anonymity or sensitive complaint details could discourage reporting of wrongdoing, undermining organizational compliance and governance efforts. The lack of known exploits currently limits immediate risk, but the vulnerability's simplicity and high impact make it a prime target for attackers once exploit code becomes available. European entities relying on CanalDenuncia.app for regulatory compliance or internal reporting are particularly vulnerable to these impacts.

To mitigate CVE-2025-41113, organizations should immediately audit and update the authorization logic in the CanalDenuncia.app backend API, ensuring that every request to '/backend/api/buscarDenunciaByPin.php' verifies the requesting user's permissions against the 'id_denuncia' resource. Implement role-based access control (RBAC) or attribute-based access control (ABAC) mechanisms to enforce strict data access policies. Conduct thorough code reviews and penetration testing focused on authorization checks across all API endpoints. Monitor application logs for unusual access patterns or repeated requests with varying 'id_denuncia' values that could indicate exploitation attempts. If possible, restrict API access to authenticated and authorized users only, and implement rate limiting to reduce brute-force attempts. Engage with the vendor or development team to obtain or develop patches addressing the vulnerability. Additionally, educate users and administrators about the risks of unauthorized data access and establish incident response plans to quickly address potential data breaches. Finally, ensure compliance with GDPR by notifying affected individuals and authorities if a breach occurs.