CVE-2025-60427 identifies a broken access control vulnerability in LibreTime version 3.0.0-alpha.10 and potentially earlier releases. LibreTime is an open-source radio automation and broadcast management software. The vulnerability arises because the backend system fails to enforce role-based access control on analytics endpoints. Specifically, users assigned the DJ role, which is typically less privileged, can access station-wide analytics data via the Web UI and direct API calls. This occurs because the backend does not verify whether the requesting user has the appropriate permissions to retrieve analytics information. As a result, sensitive operational metrics, which may include listener statistics, broadcast performance data, or other analytics, are exposed to unauthorized users. This is a classic example of broken access control, where authorization checks are either missing or improperly implemented. The vulnerability does not allow privilege escalation beyond the DJ role, nor does it permit code execution or modification of data. It solely results in information disclosure. No CVSS score has been assigned yet, and no patches or known exploits have been reported as of the publication date. The vulnerability was reserved on September 26, 2025, and published on October 21, 2025. The lack of patch links suggests that remediation is pending or that users must implement custom access control fixes. This issue highlights the importance of backend authorization validation, especially in multi-role systems where different users have varying access privileges.

For European organizations using LibreTime, particularly broadcasters, community radio stations, and media outlets, this vulnerability could lead to unauthorized disclosure of sensitive analytics data. While the information disclosed may not directly compromise system integrity or availability, it could reveal operational insights such as listener demographics, peak usage times, or station performance metrics. Competitors or malicious actors gaining access to this data could exploit it for competitive intelligence or to undermine trust in the affected organization. Additionally, disclosure of analytics data might violate privacy policies or regulatory requirements if the data includes personally identifiable information or usage patterns. The impact is primarily on confidentiality, with no direct effect on system functionality or data integrity. Since exploitation requires authenticated access with the DJ role, the threat is limited to insiders or compromised accounts with that role. However, insider threats or credential theft could increase risk. The absence of known exploits reduces immediate risk but does not eliminate the need for prompt mitigation. European broadcasters relying on LibreTime should assess their exposure and implement access controls to prevent unauthorized analytics data access.

To mitigate this vulnerability, organizations should implement strict backend authorization checks on all analytics endpoints to ensure that only users with appropriate roles (e.g., administrators or analytics personnel) can access sensitive metrics. This involves reviewing and updating the role-based access control (RBAC) logic in the LibreTime backend to validate user permissions before serving analytics data. Additionally, organizations should audit existing user roles and permissions to ensure that the DJ role is limited to intended functionalities without access to sensitive data. Monitoring and logging access to analytics endpoints can help detect unauthorized attempts. If possible, upgrade to a patched version once available or apply custom patches that enforce proper authorization. Employing network segmentation and limiting API access to trusted users can further reduce risk. Educating users about credential security and implementing multi-factor authentication (MFA) for all roles can help prevent unauthorized access via compromised accounts. Finally, organizations should review their compliance with data protection regulations to ensure that any disclosed analytics data does not violate privacy requirements.