CVE-2025-60427 identifies a Broken Access Control vulnerability in LibreTime version 3.0.0-alpha.10 and potentially earlier releases. LibreTime is an open-source radio automation and broadcast management system. The vulnerability arises because the backend does not properly verify role-based permissions on analytics endpoints. Specifically, users assigned the DJ role, which is typically a less privileged user role, can access station-wide analytics data through the Web UI and direct API calls. This unauthorized access occurs because the backend fails to enforce access control checks, allowing these users to retrieve sensitive metrics that should be restricted to higher privileged roles such as administrators or station managers. The vulnerability is classified under CWE-284 (Improper Access Control). According to the CVSS v3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N), the attack can be performed remotely over the network with low attack complexity, requires privileges equivalent to the DJ role, and does not require user interaction. The impact is high on confidentiality due to unauthorized disclosure of analytics data, but there is no impact on integrity or availability. No patches or mitigations have been officially published at the time of disclosure, and no known exploits are reported in the wild. This vulnerability could allow an insider or compromised DJ account to gather sensitive operational data, potentially aiding further attacks or competitive intelligence gathering.

For European organizations, especially those operating radio stations, streaming services, or media outlets using LibreTime, this vulnerability poses a risk of sensitive analytics data exposure. Such data might include listener statistics, broadcast schedules, or other operational metrics that could be leveraged for competitive advantage or to inform targeted attacks. While the vulnerability does not allow modification or disruption of services, unauthorized access to confidential analytics could undermine trust and violate data protection policies. Given the medium severity and requirement for a DJ role account, the threat is more relevant to insider threat scenarios or compromised user credentials. Organizations in Europe with open-source broadcast automation deployments should consider the risk of information leakage and potential regulatory implications under GDPR if personal or sensitive data is indirectly exposed through analytics. The lack of known exploits reduces immediate risk but does not eliminate the need for proactive mitigation.

1. Immediately audit and restrict the assignment of the DJ role to only trusted users, minimizing the number of accounts with this privilege. 2. Implement network segmentation and access controls to limit API and Web UI access to trusted networks and users. 3. Monitor and log access to analytics endpoints to detect unusual or unauthorized queries by DJ role users. 4. If possible, apply custom access control patches or configuration changes to enforce role-based permissions on analytics endpoints until an official patch is released. 5. Educate users with DJ roles about the sensitivity of analytics data and enforce strong authentication mechanisms to reduce the risk of account compromise. 6. Follow LibreTime project updates closely and apply official security patches promptly once available. 7. Consider deploying Web Application Firewalls (WAF) or API gateways that can enforce additional access controls as an interim protective measure.