CVE-2025-25683
Description
AlekSIS-Core is vulnerable to Incorrect Access Control. Unauthenticated users can access all PDF files. This affects AlekSIS-Core 3.0, 3.1, 3.1.1, 3.1.2, 3.1.3, 3.1.4, 3.1.5, 3.1.6, 3.2.0 and 3.2.1.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
AlekSIS-Core allows unauthenticated users to access all PDF files generated in the last 24 hours by guessing sequential IDs, affecting multiple versions.
The vulnerability stems from an incorrect access control check in AlekSIS-Core's PDF file retrieval logic. The permission verification only activates when the requesting user has an associated person object; unauthenticated users, lacking a person, bypass the check entirely [2]. This allows them to access any PDF file stored in the system.
Exploitation is straightforward: an attacker triggers the generation of a PDF file (e.g., by submitting a form), observes the file's ID in the GraphQL response, and then enumerates adjacent IDs to retrieve other PDFs created within the last 24 hours [1]. No authentication or special privileges are required.
The impact is significant because the exposed PDFs may contain sensitive information such as substitution plans, class register printouts, or other documents generated by third-party apps [1]. Although files are automatically deleted after 24 hours, the window of exposure is sufficient for data harvesting.
AlekSIS has addressed the issue in the upcoming release 4.0.0 and backported fixes to versions 3.1.7 and 3.2.2. Users are advised to update their installations using the provided pip commands [1].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: >=3.0,<=3.2.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
2News mentions
0No linked articles in our index yet.