CVE-2025-67796: n/a
IKUS Rdiffweb versions before 2.10.5 contain an improper authorization vulnerability that allows attackers with any valid or stolen access token to impersonate other users. The API fails to enforce proper binding between the authenticated user and the targeted user or tenant, enabling crafted requests to access or modify data belonging to other users and potentially perform privileged actions. This flaw may also allow cross-tenant data access. The issue is fixed in version 2.10.6.
AI Analysis
Technical Summary
CVE-2025-67796 is an improper authorization vulnerability in IKUS Rdiffweb prior to version 2.10.5. The API does not verify that the authenticated subject matches the targeted user or tenant, allowing an attacker possessing any valid or stolen access token to act as other users. This can lead to unauthorized reading or modification of other users' data and, in some cases, execution of privileged operations. The vulnerability may also result in cross-tenant access. The flaw is addressed in version 2.10.6.
Potential Impact
An attacker with any valid or stolen access token can bypass authorization controls to access or modify data of other users, potentially including privileged actions. This compromises confidentiality and integrity of user data and may lead to unauthorized cross-tenant data exposure. The CVSS score of 8.1 reflects a high severity due to network attack vector, low attack complexity, and high impact on confidentiality and integrity.
Mitigation Recommendations
A fix is available in IKUS Rdiffweb version 2.10.6. Users and administrators should upgrade to this version to remediate the improper authorization vulnerability. Until the upgrade is applied, restrict access tokens and monitor for suspicious activity related to unauthorized access attempts. Patch status is confirmed by the vendor's fix in version 2.10.6.
CVE-2025-67796: n/a
Description
IKUS Rdiffweb versions before 2.10.5 contain an improper authorization vulnerability that allows attackers with any valid or stolen access token to impersonate other users. The API fails to enforce proper binding between the authenticated user and the targeted user or tenant, enabling crafted requests to access or modify data belonging to other users and potentially perform privileged actions. This flaw may also allow cross-tenant data access. The issue is fixed in version 2.10.6.
CVSS v3.1
Score 8.1high
Affected software
Weaknesses
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2025-67796 is an improper authorization vulnerability in IKUS Rdiffweb prior to version 2.10.5. The API does not verify that the authenticated subject matches the targeted user or tenant, allowing an attacker possessing any valid or stolen access token to act as other users. This can lead to unauthorized reading or modification of other users' data and, in some cases, execution of privileged operations. The vulnerability may also result in cross-tenant access. The flaw is addressed in version 2.10.6.
Potential Impact
An attacker with any valid or stolen access token can bypass authorization controls to access or modify data of other users, potentially including privileged actions. This compromises confidentiality and integrity of user data and may lead to unauthorized cross-tenant data exposure. The CVSS score of 8.1 reflects a high severity due to network attack vector, low attack complexity, and high impact on confidentiality and integrity.
Mitigation Recommendations
A fix is available in IKUS Rdiffweb version 2.10.6. Users and administrators should upgrade to this version to remediate the improper authorization vulnerability. Until the upgrade is applied, restrict access tokens and monitor for suspicious activity related to unauthorized access attempts. Patch status is confirmed by the vendor's fix in version 2.10.6.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- mitre
- Date Reserved
- 2025-12-12T00:00:00.000Z
- Cvss Version
- null
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 69f8f1b7cbff5d861042a38a
Added to database: 5/4/2026, 7:21:27 PM
Last enriched: 5/12/2026, 6:23:12 AM
Last updated: 6/18/2026, 11:44:27 AM
Views: 84
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.