PowerJob list authorization
Description
A weakness has been identified in PowerJob up to 5.1.2. This affects the function list of the file /user/list. This manipulation causes missing authorization. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
PowerJob ≤5.1.2 exposes the /user/list endpoint without authorization, allowing unauthenticated remote attackers to enumerate all registered users.
Vulnerability
Overview
CVE-2025-11580 describes a missing authorization vulnerability in the distributed job scheduling framework PowerJob, affecting versions up to and including 5.1.2. The flaw resides in the UserInfoController.list() method mapped to the /user/list endpoint. The controller method lacks the @ApiPermission annotation and performs no internal authorization checks, allowing any unauthenticated request to access the full list of registered users [1][3].
Exploitation
An attacker can exploit this vulnerability by sending a simple HTTP GET request to /user/list without any authentication tokens or headers. The request does not require any special privileges or network position, as the endpoint is exposed to remote callers. The reference includes a verified proof-of-concept showing that the server returns all user information in JSON format [3].
Impact
A successful attack allows an unauthenticated remote attacker to enumerate all user accounts in the PowerJob instance. This information leakage can be used to identify valid usernames, which may facilitate further targeted attacks such as credential stuffing, phishing, or privilege escalation against those users. The advisory notes that this is a CWE-862 Missing Authorization issue and constitutes a vertical authorization error [3].
Mitigation
As of the advisory date (October 2025), the fix is to add the @ApiPermission annotation to the list method to enforce proper access control. Users are advised to upgrade to a patched version beyond 5.1.2, or apply the code-level remediation if running a custom deployment. The project maintainers were notified via the GitHub issue linked in the advisory [3].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
tech.powerjob:powerjobMaven | <= 5.1.2 | — |
Affected products
1- PowerJob/PowerJobdescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- github.com/PowerJob/PowerJob/issues/1127ghsaexploitissue-trackingWEB
- github.com/advisories/GHSA-87xj-ghmc-c3xqghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2025-11580ghsaADVISORY
- vuldb.comghsathird-party-advisoryWEB
- vuldb.comghsasignaturepermissions-requiredWEB
- vuldb.comghsavdb-entrytechnical-descriptionWEB
News mentions
0No linked articles in our index yet.