Home / Vulnerability Intelligence / CVE-2025-67796

CVE-2025-67796 - Vulnerability Analysis

HighCVSS: 8.1

Last Updated: May 5, 2026

IKUS Rdiffweb - Broken Access Control

Published: May 4, 2026Updated: May 5, 2026Remote Exploitable

Overview

IKUS Rdiffweb < 2.10.5 contains a broken access control caused by lack of binding between authenticated subject and targeted user/tenant in the API, letting attackers with valid or stolen tokens access or modify other users' data and perform privileged actions, exploit requires valid or stolen access token.

Severity & Score

Severity: High

CVSS Score: 8.1

Impact

Attackers with valid or stolen tokens can access or modify other users' data and perform privileged actions, risking data breach and privilege escalation.

Mitigation

Upgrade to version 2.10.6 or later.

References

https://gitlab.com/ikus-soft/rdiffweb#2106-2025-10-02
https://gitlab.com/ikus-soft/rdiffweb

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2025-67796
Severity: High
CVSS Score: 8.1
Type: broken_access_control
Status: new

CWE

CWE-284

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N