Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
2DescriptionCVE.org
IKUS Rdiffweb before 2.10.5 has an improper authorization flaw that allows an attacker with any valid or stolen access token to act as other users. The API does not enforce binding between the authenticated subject and the targeted user/tenant, so crafted requests can read or modify other users data and, in some cases, perform privileged actions. This issue may enable cross-tenant access. Fixed in version 2.10.6.
AnalysisAI
Improper authorization in IKUS Rdiffweb before 2.10.5 allows authenticated attackers with low-privilege API access tokens to read or modify data belonging to other users and tenants without additional authorization checks. The API fails to validate that the authenticated token subject matches the targeted user in requests, enabling horizontal privilege escalation and cross-tenant data access. Fixed in version 2.10.6. EPSS score of 0.02% (4th percentile) indicates low current exploitation probability, and no public exploit code or active exploitation has been identified at time of analysis.
Technical ContextAI
Rdiffweb is a web-based interface for rdiff-backup, a backup solution that creates incremental backups. This vulnerability stems from CWE-284 (Improper Access Control), specifically an Insecure Direct Object Reference (IDOR) pattern in the API layer. The authentication mechanism validates that a token is legitimate but does not enforce authorization checks binding the token's subject (authenticated user identity) to the user/tenant resources being accessed in API requests. This is a common broken object-level authorization (BOLA) flaw where horizontal access control fails - an authenticated user can manipulate API parameters (likely user IDs or tenant identifiers) to access resources of other users at the same privilege level. The CPE data is incomplete (n/a entries), but the GitLab references confirm IKUS Rdiffweb as the affected product with versions prior to 2.10.5 vulnerable.
RemediationAI
Upgrade to IKUS Rdiffweb version 2.10.6 or later, which contains the authorization enforcement fix per vendor advisory at https://gitlab.com/ikus-soft/rdiffweb. This is the primary and recommended remediation. If immediate patching is not feasible, implement compensating controls: (1) Revoke and regenerate all API access tokens to invalidate potentially compromised credentials, accepting temporary service disruption for API integrations that must reconfigure with new tokens. (2) Implement network segmentation to restrict API access only to trusted IP ranges or internal networks, reducing attack surface but limiting legitimate remote API usage. (3) Enable aggressive API request logging and monitoring to detect anomalous cross-user/tenant access patterns, though this is detective rather than preventive. (4) For multi-tenant deployments, consider temporarily isolating tenants to separate Rdiffweb instances if business-critical data segregation is required before patching, accepting operational overhead of managing multiple instances. None of these workarounds fully mitigate the vulnerability - upgrading to 2.10.6 is the only complete fix.
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2025-209635
GHSA-v4gp-hf5j-4566