CVE-2025-41335 identifies a missing authorization vulnerability (CWE-862) in CanalDenuncia.app, a platform likely used for whistleblowing or corporate reporting. The flaw exists in the API endpoint '/api/buscarEmpresaById.php', which processes POST requests containing 'id' and 'id_sociedad' parameters. Due to the absence of proper authorization checks, an attacker can craft requests to retrieve information belonging to other users or entities without any authentication or user interaction. The vulnerability has a CVSS 4.0 base score of 8.7, indicating high severity, with an attack vector over the network, low attack complexity, no privileges required, no user interaction, and high confidentiality impact. The integrity and availability impacts are none, but the confidentiality breach can expose sensitive personal or corporate data. No patches are currently available, and no known exploits have been reported in the wild. The vulnerability was reserved in April 2025 and published in November 2025 by INCIBE, a Spanish cybersecurity entity, suggesting regional relevance. The affected version is listed as '0', which may indicate an initial or default version of the app. The lack of authorization controls in a critical API endpoint exposes the application to data leakage risks, which could be exploited by attackers to gather intelligence or conduct further attacks.

For European organizations, the impact of CVE-2025-41335 is significant, especially for those using CanalDenuncia.app to manage whistleblowing reports or sensitive corporate information. Unauthorized access to user or company data can lead to privacy violations, regulatory non-compliance (e.g., GDPR breaches), reputational damage, and potential legal consequences. The exposure of whistleblower identities or sensitive reports could deter reporting and undermine trust in compliance programs. Since the vulnerability requires no authentication and can be exploited remotely, attackers can easily harvest confidential data at scale. This could also facilitate targeted attacks, social engineering, or insider threat activities. Organizations in sectors with stringent data protection requirements, such as finance, healthcare, and public administration, face elevated risks. The absence of known exploits currently provides a window for proactive remediation, but the vulnerability's simplicity and severity make it a prime target for future exploitation.

1. Implement strict authorization checks on the '/api/buscarEmpresaById.php' endpoint to ensure that users can only access data they are permitted to view. 2. Introduce authentication mechanisms requiring valid user credentials before processing sensitive API requests. 3. Employ role-based access control (RBAC) or attribute-based access control (ABAC) to enforce fine-grained permissions. 4. Conduct thorough code reviews and penetration testing focused on access control enforcement across all API endpoints. 5. Monitor API logs for unusual access patterns, such as repeated requests with varying 'id' or 'id_sociedad' parameters from the same source. 6. If possible, implement rate limiting and anomaly detection to mitigate automated exploitation attempts. 7. Engage with the vendor or development team to obtain or develop patches addressing the vulnerability. 8. Educate internal teams about the risks of missing authorization and the importance of secure API design. 9. Consider isolating or restricting access to the affected application until a fix is deployed, especially in high-risk environments. 10. Review and update incident response plans to include scenarios involving unauthorized data access through API vulnerabilities.