PowerJob OpenAPIController runJob authorization

Vulnerability

Description

CVE-2025-11581 is an authorization bypass vulnerability in PowerJob up to version 5.1.2. The flaw resides in the OpenAPIController component, specifically in the /openApi/runJob endpoint. The controller methods lack proper security annotations such as @ApiPermission, allowing unauthenticated access to sensitive operations [1]. A CodeQL analysis disclosed on GitHub revealed multiple unauthenticated endpoints within the same controller [2].

Attack

Vector and Exploitation

The vulnerability is remotely exploitable without authentication. An attacker can send crafted HTTP requests to the /openApi/runJob endpoint to invoke job execution functions that should require authorization. The project's design intended for OpenAPI endpoints to be secured, but a missing permission check leaves them exposed [2]. A proof-of-concept exploit has been publicly disclosed, increasing the risk of active exploitation.

Impact

Successful exploitation allows an unauthorized remote attacker to trigger arbitrary job executions on the PowerJob server. This can lead to unauthorized task scheduling, resource consumption, and potential disruption of scheduled workflows. Given PowerJob's role as a distributed job scheduler, this could enable further lateral movement or impact the availability of critical batch processes.

Mitigation and

Status

As of the advisory, no patched version has been released. The vendor's GitHub repository has an open issue documenting the flaw [2]. Users are advised to restrict network access to the PowerJob server, implement a web application firewall (WAF) rule to block unauthenticated requests to /openApi/* endpoints, or disable the OpenAPI module if not required [3]. The vulnerability is not yet listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.