CVE-2025-65900 identifies a critical Incorrect Access Control vulnerability in Kalmia CMS version 0.2.0, specifically within the /kal-api/auth/users API endpoint. The vulnerability arises from insufficient permission validation on the backend, allowing authenticated users with minimal read permissions to access sensitive information pertaining to all users on the platform. This excessive data exposure indicates a failure in enforcing the principle of least privilege and inadequate backend authorization checks. The flaw does not require elevated privileges beyond basic authentication, meaning any user with read access can exploit it. The sensitive information exposed could include personally identifiable information (PII), authentication details, or other confidential user data, although exact data types are not specified. No CVSS score is assigned yet, and no public exploits are currently known, but the vulnerability is published and reserved under CVE-2025-65900. The lack of patch links suggests that a fix may not yet be available, increasing the urgency for organizations to implement compensating controls. This vulnerability highlights a common security weakness in web applications where API endpoints do not properly enforce access controls, leading to unauthorized data disclosure. Organizations relying on Kalmia CMS should urgently review their access control policies and audit API endpoints for similar issues.

The primary impact of CVE-2025-65900 is the unauthorized disclosure of sensitive user information, which compromises confidentiality. For European organizations, this can lead to violations of GDPR and other data protection regulations, resulting in legal penalties and reputational damage. Exposure of user data can facilitate further attacks such as phishing, identity theft, or lateral movement within networks. The vulnerability affects all users of the platform, potentially leading to widespread data leakage. Since exploitation requires only basic authentication, insider threats or compromised low-privilege accounts can cause significant damage. The absence of public exploits reduces immediate risk but does not eliminate it, especially if attackers reverse-engineer the vulnerability. The availability and integrity of the system are not directly impacted, but the breach of confidentiality alone is significant. Organizations in sectors handling sensitive personal or financial data are particularly at risk. The vulnerability could also undermine customer trust and lead to financial losses due to incident response and remediation costs.

To mitigate CVE-2025-65900, organizations should immediately audit the /kal-api/auth/users API endpoint and other similar endpoints for proper access control enforcement. Implement strict backend authorization checks that validate user permissions before disclosing any user data. Limit the data returned by API responses to the minimum necessary for the authenticated user's role, adhering to the principle of least privilege. If a patch becomes available from Kalmia CMS, apply it promptly. In the interim, consider implementing network-level restrictions or API gateways that enforce access policies. Conduct thorough logging and monitoring of API access to detect anomalous data retrieval patterns. Educate users about the risks of credential compromise and enforce strong authentication mechanisms such as multi-factor authentication (MFA). Review and update security policies to ensure that all API endpoints are tested for access control vulnerabilities during development and deployment. Engage in regular security assessments and penetration testing focused on authorization controls.