CVE-2025-41341 is a missing authorization vulnerability classified under CWE-862 found in CanalDenuncia.app, a platform likely used for whistleblowing or complaint reporting. The vulnerability exists in the backend API endpoint '/backend/api/buscarUsuarioByDenuncia.php', which processes POST requests containing 'id_denuncia' and 'seguro' parameters. Due to the absence of proper authorization validation, an attacker can craft POST requests with arbitrary values for these parameters to retrieve information about other users without any authentication or user interaction. This leads to unauthorized disclosure of potentially sensitive user data. The vulnerability has a CVSS 4.0 base score of 8.7, reflecting its high severity, primarily due to network attack vector, no required privileges or user interaction, and a high impact on confidentiality. The vulnerability was reserved in April 2025 and published in November 2025, with no patches or known exploits publicly available yet. The lack of authorization checks indicates a fundamental security design flaw in the application’s access control mechanisms. Given the nature of the data handled by CanalDenuncia.app, unauthorized access could expose whistleblower identities or complaint details, leading to privacy violations and reputational damage. The vulnerability affects version 0 of the product, suggesting it may impact early or initial releases. The absence of patches necessitates immediate compensating controls to mitigate risk until a fix is available.

The primary impact of CVE-2025-41341 is the unauthorized disclosure of sensitive user information, which can severely compromise confidentiality. For European organizations, especially those handling whistleblower reports or sensitive complaints, this could lead to exposure of identities and case details, undermining trust and potentially violating GDPR and other privacy regulations. The breach of confidentiality could result in legal penalties, reputational harm, and loss of stakeholder confidence. Since the vulnerability requires no authentication or user interaction, it can be exploited remotely and at scale, increasing the risk of mass data leakage. The integrity and availability of the system are not directly affected; however, the loss of confidentiality alone is critical given the sensitive nature of the data. Organizations relying on CanalDenuncia.app or similar platforms may face regulatory scrutiny and operational disruptions if exploited. The lack of known exploits currently provides a window for proactive mitigation, but the ease of exploitation suggests attackers could develop exploits rapidly once the vulnerability is publicly known.

1. Immediately restrict access to the vulnerable API endpoint '/backend/api/buscarUsuarioByDenuncia.php' by implementing network-level controls such as IP whitelisting or VPN requirements. 2. Implement strict authorization checks on the server side to verify that the requesting user is permitted to access the data associated with the provided 'id_denuncia' and 'seguro' parameters. 3. Introduce authentication mechanisms if not already present, ensuring that only authenticated and authorized users can query sensitive information. 4. Conduct a comprehensive code review and security audit of the CanalDenuncia.app backend to identify and remediate similar missing authorization issues. 5. Monitor application logs for unusual or repeated access attempts to the vulnerable endpoint to detect potential exploitation attempts. 6. Engage with the vendor or development team to obtain or expedite patches addressing this vulnerability. 7. Educate users and administrators about the risks and encourage prompt reporting of suspicious activity. 8. Consider implementing additional data access controls such as rate limiting and anomaly detection to mitigate exploitation risks until a patch is deployed.