CVE-2025-41345 is a vulnerability classified under CWE-862 (Missing Authorization) found in CanalDenuncia.app, a platform likely used for managing whistleblower reports or complaints. The vulnerability exists in the backend API endpoint '/backend/api/buscarDenunciasById.php', which processes POST requests containing parameters 'id_denuncia' (complaint/report ID) and 'id_user' (user ID). Due to missing authorization checks, the application fails to verify whether the requesting user is permitted to access the data associated with these parameters. Consequently, an attacker can craft POST requests with arbitrary 'id_denuncia' and 'id_user' values to retrieve sensitive information belonging to other users without authentication or user interaction. The CVSS 4.0 score of 8.7 reflects a high-severity rating, with an attack vector of network (remote exploitation), low attack complexity, no privileges or user interaction required, and a high impact on confidentiality. The vulnerability does not affect integrity or availability but poses a significant risk of sensitive data leakage. No patches or known exploits are currently reported, indicating a window for proactive mitigation. The vulnerability was reserved in April 2025 and published in November 2025, suggesting recent discovery and disclosure. The lack of authorization controls in a sensitive application handling whistleblower data could lead to serious privacy breaches and undermine trust in the platform.

For European organizations, the impact of CVE-2025-41345 is substantial due to the sensitive nature of data managed by CanalDenuncia.app, which likely includes whistleblower reports, complaints, or other confidential user submissions. Unauthorized access to such data can lead to privacy violations, regulatory non-compliance (e.g., GDPR breaches), reputational damage, and potential legal consequences. The exposure of whistleblower identities or complaint details could deter reporting of misconduct and weaken organizational governance. Since the vulnerability allows remote exploitation without authentication or user interaction, attackers can automate data harvesting at scale, increasing the risk of mass data breaches. This could also facilitate targeted attacks or blackmail against individuals whose information is exposed. The confidentiality impact is high, while integrity and availability remain unaffected. Organizations relying on CanalDenuncia.app must consider the risk of data leakage and the potential for cascading effects on employee trust and regulatory scrutiny.

To mitigate CVE-2025-41345, organizations should immediately implement strict authorization checks on the '/backend/api/buscarDenunciasById.php' endpoint. This includes verifying that the authenticated user has the appropriate permissions to access the requested 'id_denuncia' and 'id_user' data before responding. If authentication is not currently enforced, it must be introduced as a prerequisite for any data access. Employ role-based access control (RBAC) or attribute-based access control (ABAC) mechanisms to ensure fine-grained permission validation. Additionally, input validation should be enhanced to prevent manipulation of parameters to access unauthorized records. Logging and monitoring of access to this endpoint should be enabled to detect suspicious activity. If a patch from the vendor becomes available, it should be applied promptly. Until then, consider deploying web application firewalls (WAFs) with custom rules to block anomalous POST requests targeting this endpoint with unexpected parameter values. Conduct security audits and penetration tests focused on authorization controls in the application. Finally, educate users and administrators about the risks and encourage reporting of suspicious behavior.