CVE-2025-41342 identifies a critical missing authorization vulnerability (CWE-862) in the CanalDenuncia.app platform, specifically within the backend API endpoint '/backend/api/buscarUsuarioId.php'. The vulnerability arises because the application fails to verify whether the requesting user is authorized to access the data associated with the 'id_user' parameter in the POST request. This lack of proper access control allows an unauthenticated attacker to specify arbitrary user IDs and retrieve sensitive information belonging to other users. The vulnerability does not require any authentication or user interaction, making it remotely exploitable over the network (AV:N) with low attack complexity (AC:L). The CVSS 4.0 score of 8.7 reflects the high confidentiality impact (VC:H) and the absence of integrity or availability impact. The vulnerability was reserved in April 2025 and published in November 2025, with no patches or known exploits currently available. CanalDenuncia.app is used for whistleblowing and reporting, meaning the exposed data could include sensitive personal or organizational information. The root cause is a failure in implementing authorization checks on the backend API, a common security oversight in web applications. Without proper authorization, attackers can harvest user data, potentially leading to privacy violations, reputational damage, and regulatory penalties.

For European organizations, the impact of CVE-2025-41342 is significant due to the sensitive nature of data handled by CanalDenuncia.app, which is often used for whistleblowing and confidential reporting. Unauthorized access to user information can lead to privacy breaches, loss of trust, and violations of GDPR and other data protection regulations, resulting in heavy fines and legal consequences. Organizations may suffer reputational damage if whistleblower identities or reports are exposed. Additionally, attackers could leverage the disclosed information for further targeted attacks such as social engineering or identity theft. The lack of authentication or user interaction required for exploitation increases the risk of automated mass data harvesting. This vulnerability could also undermine the integrity of whistleblowing processes, discouraging legitimate reporting and weakening organizational compliance frameworks. The absence of patches means organizations must rely on immediate compensating controls to mitigate risk.

To mitigate CVE-2025-41342, organizations should immediately implement strict authorization checks on the '/backend/api/buscarUsuarioId.php' endpoint to ensure that users can only access their own data or data they are explicitly permitted to view. This includes validating the 'id_user' parameter against the authenticated user's identity and roles. If authentication is not currently enforced, it must be added to all sensitive API endpoints. Conduct a comprehensive security review and penetration test of the entire CanalDenuncia.app backend to identify and remediate similar authorization flaws. Employ logging and monitoring to detect unusual access patterns or attempts to exploit this vulnerability. Until a vendor patch is available, consider deploying web application firewalls (WAFs) with custom rules to block suspicious POST requests targeting the vulnerable endpoint. Educate developers on secure coding practices related to access control and conduct regular code audits. Finally, notify users about the potential risk and advise on best practices to protect their accounts and data.