CVE-2025-46552 is a medium-severity vulnerability affecting versions of the Krypto-Hashers-Community's KHC-INVITATION-AUTOMATION tool prior to version 1.3. This tool is a GitHub automation script designed to streamline the process of inviting followers of a bot account to join an organization. The vulnerability arises from improper access control on certain API endpoints, which inadvertently expose sensitive user information such as email addresses and Discord usernames. Specifically, in some commits of version 1.2, these endpoints returned user data without verifying the requester's authorization, allowing any unauthenticated actor to retrieve this information by directly calling the affected API endpoints. The flaw corresponds to CWE-200 (Exposure of Sensitive Information) and CWE-284 (Improper Access Control). The issue has been addressed and patched in a later commit within version 1.2, with the fixed version being 1.3 or later. The CVSS v4.0 score is 6.3, reflecting a medium severity level, with the vector indicating network attack vector (AV:N), low attack complexity (AC:L), no privileges required (PR:N), no user interaction (UI:N), and partial confidentiality impact (VC:L). There is no known exploitation in the wild as of the publication date (April 29, 2025). This vulnerability primarily threatens confidentiality by exposing personal user data without authorization, but does not affect integrity or availability. The ease of exploitation is high due to no authentication or user interaction requirements and low complexity, making it accessible to remote attackers. However, the scope is limited to organizations using the vulnerable versions of this specific GitHub automation tool.

For European organizations utilizing KHC-INVITATION-AUTOMATION versions prior to 1.3, this vulnerability poses a significant risk to user privacy and data protection compliance. Exposure of email addresses and Discord usernames could lead to targeted phishing attacks, social engineering, or identity correlation attacks against employees or community members. Given the sensitivity of personal data under the EU's GDPR framework, unauthorized disclosure could result in regulatory penalties and reputational damage. While the vulnerability does not directly compromise system integrity or availability, the leakage of user information can be leveraged as a stepping stone for further attacks or unauthorized access attempts. Organizations relying on this automation for managing GitHub organization memberships should be aware of the potential for data leakage and the associated risks to their internal and external stakeholders. The impact is particularly relevant for organizations with large developer communities or those integrating Discord communications, where exposed identifiers could facilitate cross-platform profiling or harassment.

Organizations should immediately verify the version of KHC-INVITATION-AUTOMATION in use and upgrade to version 1.3 or later where the vulnerability is patched. If upgrading is not immediately feasible, restrict network access to the affected API endpoints by implementing firewall rules or API gateway policies that enforce strict authentication and authorization checks. Conduct an audit of API logs to detect any unusual or unauthorized access patterns to the invitation automation endpoints. Additionally, review and minimize the amount of sensitive user data collected and exposed by automation scripts. Implement monitoring to alert on anomalous API usage. Educate development and DevOps teams on secure coding practices, particularly regarding access control and data exposure in automation tools. Finally, notify affected users about the potential exposure and advise them on best practices to mitigate phishing or social engineering risks.