Is there a public PoC exploit available for CVE-2025-58052?

Yes, a public proof-of-concept exploit is available for CVE-2025-58052. Prioritise patching immediately. EPSS: 0.1%.

Galette CVE-2025-58052

Q: What is the CVSS score of CVE-2025-58052?

CVE-2025-58052 has a CVSS 4.0 base score of 2.1 (Low). CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X. EPSS exploitation probability: 0.1%.

LOW

Incorrect Authorization (CWE-863)

2025-12-19 security-advisories@github.com

Authentication Bypass Galette

2.1

CVSS 4.0 · GitHub Advisory

Severity by source

GitHub Advisory PRIMARY

2.1 LOW

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Lifecycle Timeline

Analysis Generated

Apr 29, 2026 - 02:49 vuln.today

DescriptionGitHub Advisory

Galette is a membership management web application for non profit organizations. Starting in version 0.9.6 and prior to version 1.2.0, attackers with group manager role can bypass intended restrictions allowing unauthorized access and changes despite role-based controls. Since it requires privileged access initially, exploitation is restricted to malicious insiders or compromised group managers accounts. Version 1.2.0 fixes the issue.

AnalysisAI

Galette membership management application versions 0.9.6 through 1.1.x contain an authorization bypass allowing group managers to escalate privileges and modify data beyond their intended role scope. The vulnerability requires authenticated access as a group manager and affects the integrity of membership data and organizational controls. Galette 1.2.0 resolves the issue; affected deployments should upgrade immediately to restore proper role-based access controls.

Technical ContextAI

Galette is a web-based membership and donations management system for non-profit organizations. The vulnerability stems from improper implementation of role-based access control (RBAC), classified as CWE-863 (Improper Authorization). The flaw allows authenticated users with the group manager role to bypass authorization checks that should restrict their access to specific organizational functions. The affected versions 0.9.6 through 1.1.x do not properly validate role boundaries when group managers attempt to access or modify protected resources, permitting unauthorized scope escalation within the application's permission model.

RemediationAI

Upgrade to Galette version 1.2.0 or later immediately. The vendor has released a patched version that restores proper role-based access control enforcement. Download and deploy version 1.2.0 from the official Galette repository (https://github.com/galette/galette). For deployments unable to immediately upgrade, restrict group manager role assignment to highly trusted individuals only, implement multi-factor authentication for administrative accounts, enable detailed audit logging of group manager actions, and monitor for suspicious modifications to organizational data or member records. Note that these compensating controls do not eliminate the vulnerability but reduce the likelihood of exploitation by limiting the number of potentially compromised high-privilege accounts. No workarounds are available without code modifications; patching is the primary remediation path.

CVE-2025-58052 vulnerability details – vuln.today

Back