CVE-2025-62487 is a security vulnerability identified in Palantir's Gotham Default Apps Bundle (version 100.30250502.0). The flaw stems from a regression introduced in May 2025 intended to enable file uploads to be shared across different artifacts such as dossiers and presentations. This change inadvertently caused images uploaded through the Dossier front-end app to not be marked with the appropriate security levels. In deployments configured with Context-Based Access Control (CBAC), a security picker dialog prompts users to assign security levels to uploads, mitigating the issue. However, in deployments lacking CBAC, this dialog does not appear, resulting in uploaded files being assigned a default security level labeled CUSTOM without any specific markings or dataset associations. Consequently, the default authorization rules apply, which typically only include the Everyone group, effectively exposing these files to all users. The vulnerability allows attackers with some privileges and requiring user interaction to bypass intended access restrictions, potentially leading to unauthorized disclosure of sensitive information. The CVSS 3.1 score is 3.5 (low severity), reflecting a network attack vector with low confidentiality impact, no integrity or availability impact, and requiring privileges and user interaction. No known exploits have been reported in the wild, and Palantir has published this information as of January 2026 without a patch link provided yet.

For European organizations utilizing Palantir Gotham Default Apps Bundle, this vulnerability could lead to unauthorized disclosure of sensitive images or documents uploaded via the Dossier app, especially in environments not configured with CBAC. The exposure risk is primarily confidentiality-related, as unauthorized users may gain access to files intended to be restricted. This could impact organizations handling sensitive or classified data, such as government agencies, defense contractors, or critical infrastructure operators. The lack of proper security markings could undermine compliance with European data protection regulations like GDPR if personal or sensitive data is exposed. However, the impact is somewhat limited by the requirement for some level of privilege and user interaction, and the absence of integrity or availability impacts reduces the risk of data tampering or service disruption. Still, the potential for data leakage in sensitive environments warrants attention and remediation.

European organizations should first verify whether their Palantir Gotham deployments use CBAC configurations. If CBAC is enabled, the security picker dialog mitigates this vulnerability by enforcing correct security markings on uploads. For deployments without CBAC, organizations should consider enabling CBAC to restore this protection. Until a patch is available, administrators should audit uploaded files for inappropriate access permissions and restrict the 'Default authorization rules' to exclude broad groups like Everyone. Implement strict access control policies and monitor file uploads for anomalous sharing or access patterns. Additionally, organizations should educate users about the risk and encourage cautious handling of file uploads. Regularly review Palantir vendor advisories for patches or updates addressing this issue and apply them promptly once released. Finally, consider network segmentation and enhanced monitoring around Palantir systems to detect potential exploitation attempts.