CVE-2025-66391

An attacker with a read-only Citrix Cloud account intercepts the server response on the profile page and manipulates JSON fields such as `recoveryEmail`, `canChangePassword`, and `canChangePrimaryEmail` [ref_id=1]. The application fails to re-validate authorization for the subsequent write workflow, so it sends a one-time password (OTP) to the attacker-supplied email address [ref_id=1]. The same technique can also initiate a password-change flow. Although the attacker must already possess a valid read-only session, the lack of server-side authorization checks on these privileged actions constitutes an authorization bypass vulnerability.

The advisory does not include a published patch. The researcher notes that the application allows triggering privileged features without proper checks and that server-side authorization validation is missing on the email-change and password-change workflows [ref_id=1]. A proper fix would require the server to independently verify that the requesting account holds write-level permissions before executing any identity-management operation, rather than relying on client-side response fields.