Skip to main content

IKUS Rdiffweb CVE-2025-67796

| EUVDEUVD-2025-209635 HIGH
Improper Access Control (CWE-284)
2026-05-04 mitre GHSA-v4gp-hf5j-4566
8.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

2
Analysis Generated
May 05, 2026 - 16:24 vuln.today
CVSS changed
May 05, 2026 - 16:22 NVD
8.1 (HIGH)

DescriptionCVE.org

IKUS Rdiffweb before 2.10.5 has an improper authorization flaw that allows an attacker with any valid or stolen access token to act as other users. The API does not enforce binding between the authenticated subject and the targeted user/tenant, so crafted requests can read or modify other users data and, in some cases, perform privileged actions. This issue may enable cross-tenant access. Fixed in version 2.10.6.

AnalysisAI

Improper authorization in IKUS Rdiffweb before 2.10.5 allows authenticated attackers with low-privilege API access tokens to read or modify data belonging to other users and tenants without additional authorization checks. The API fails to validate that the authenticated token subject matches the targeted user in requests, enabling horizontal privilege escalation and cross-tenant data access. Fixed in version 2.10.6. EPSS score of 0.02% (4th percentile) indicates low current exploitation probability, and no public exploit code or active exploitation has been identified at time of analysis.

Technical ContextAI

Rdiffweb is a web-based interface for rdiff-backup, a backup solution that creates incremental backups. This vulnerability stems from CWE-284 (Improper Access Control), specifically an Insecure Direct Object Reference (IDOR) pattern in the API layer. The authentication mechanism validates that a token is legitimate but does not enforce authorization checks binding the token's subject (authenticated user identity) to the user/tenant resources being accessed in API requests. This is a common broken object-level authorization (BOLA) flaw where horizontal access control fails - an authenticated user can manipulate API parameters (likely user IDs or tenant identifiers) to access resources of other users at the same privilege level. The CPE data is incomplete (n/a entries), but the GitLab references confirm IKUS Rdiffweb as the affected product with versions prior to 2.10.5 vulnerable.

RemediationAI

Upgrade to IKUS Rdiffweb version 2.10.6 or later, which contains the authorization enforcement fix per vendor advisory at https://gitlab.com/ikus-soft/rdiffweb. This is the primary and recommended remediation. If immediate patching is not feasible, implement compensating controls: (1) Revoke and regenerate all API access tokens to invalidate potentially compromised credentials, accepting temporary service disruption for API integrations that must reconfigure with new tokens. (2) Implement network segmentation to restrict API access only to trusted IP ranges or internal networks, reducing attack surface but limiting legitimate remote API usage. (3) Enable aggressive API request logging and monitoring to detect anomalous cross-user/tenant access patterns, though this is detective rather than preventive. (4) For multi-tenant deployments, consider temporarily isolating tenants to separate Rdiffweb instances if business-critical data segregation is required before patching, accepting operational overhead of managing multiple instances. None of these workarounds fully mitigate the vulnerability - upgrading to 2.10.6 is the only complete fix.

Share

CVE-2025-67796 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy