Skip to main content

Secure-upload CVE-2025-53709

| EUVDEUVD-2025-21048 MEDIUM
Improper Authorization (CWE-285)
2025-07-10 cve-coordination@palantir.com
5.4
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.4 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

4
Patch available
Apr 16, 2026 - 05:29 EUVD
0.815.0
EUVD ID Assigned
Mar 16, 2026 - 06:52 euvd
EUVD-2025-21048
Analysis Generated
Mar 16, 2026 - 06:52 vuln.today
CVE Published
Jul 10, 2025 - 19:15 nvd
MEDIUM 5.4

DescriptionCVE.org

Secure-upload is a data submission service that validates single-use tokens when accepting submissions to channels. The service only installed on a small number of environments.

Under specific circumstances, privileged users of secure-upload could have selected email templates not necessarily created for their enrollment when sending data upload requests. Authenticated and privileged users of one enrollment could have abused an endpoint to redirect existing submission channels to a dataset they control. An endpoint handling domain validation allowed unauthenticated users to enumerate existing enrollments. Finally, other endpoints allowed enumerating if a resource with a known RID exists across enrollments.

The affected service has been patched with version 0.815.0 and automatically deployed to all Apollo-managed Foundry instances.

AnalysisAI

A security vulnerability in Secure-upload (CVSS 5.4). Remediation should follow standard vulnerability management procedures.

Technical ContextAI

CWE-285 (Improper Authorization). Affects Secure-upload.

RemediationAI

Monitor vendor channels for patch availability.

Share

CVE-2025-53709 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy