VYPR
← All advisories
Medium severity4.3NVD Advisory· Published Jun 1, 2026

CVE-2026-28511

CVE-2026-28511

Description

eLabFTW versions prior to 5.4.2 allow authenticated users to see titles of unauthorized resources via numeric search, potentially leaking sensitive info.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

eLabFTW versions prior to 5.4.2 allow authenticated users to see titles of unauthorized resources via numeric search, potentially leaking sensitive info.

Vulnerability

In eLabFTW versions prior to 5.4.2, an authenticated user performing a numeric reference or search may receive results that include titles of resources they are not authorized to view. This issue affects the numeric reference/search functionality [1].

Exploitation

An attacker needs an authenticated user account with no special privileges beyond standard access. By performing a numeric reference or search, the attacker can trigger the vulnerability and observe titles of resources outside their authorized scope [1].

Impact

Successful exploitation may lead to unauthorized disclosure of sensitive information if confidential data is present in resource titles. This could include project names, patient identifiers, or other regulated information embedded within titles. Access to the underlying protected resource content remains blocked [1].

Mitigation

Version 5.4.2 fixes this issue. No other mitigation details or workarounds are disclosed in the available references. The vulnerability was published on 2026-06-01 [1].

References
  1. Entry title leakage through autocompletion search

AI Insight generated on Jun 1, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

1

Patches

1
52d436992c23

bug/medium: fix sql query for fast search

https://github.com/elabftw/elabftwNicolas CARPiMar 1, 2026Fixed in 5.4.2via llm-release-walk
commit
1 file changed · +2 2
  • src/Models/AbstractEntity.php+2 2 modified
    @@ -670,9 +670,9 @@ public function readAllSimple(QueryParamsInterface $displayParams): array
             LEFT JOIN users ON entity.userid = users.userid
             LEFT JOIN
                 users2teams ON (users2teams.users_id = :userid AND users2teams.teams_id = :teamid)
-            WHERE
-                entity.title LIKE :query ' . $idSql . '
+            WHERE 1=1
             ' . $canFilter . '
+                AND (entity.title LIKE :query ' . $idSql . ')
             ' . $displayParams->getFilterSql() . '
             ' . $displayParams->getStatesSql('entity') . '
             ' . $displayParams->getSql();

Vulnerability mechanics

No source-code context for this CVE — mechanics is only generated when we can read the actual fix diff. Without that, the four sections (root cause, attack vector, affected code, fix) would be speculation rather than analysis.

References

1

News mentions

0

No linked articles in our index yet.