CVE-2026-41464

Vulnerability

ProjeQtor versions 7.0 through 12.4.3 contain a missing authorization vulnerability in the objectDetail.php endpoint. The endpoint fails to validate whether the authenticated user owns the requested resource or has appropriate role-based permissions, allowing unauthorized access to sensitive data [1][2][3].

Exploitation

An attacker with a guest-level account can remotely access the /view/objectDetail.php endpoint without any additional user interaction. By manipulating parameters such as object identifiers, the attacker can retrieve password hashes and API keys belonging to other users, including administrators [2]. The vulnerability can be exploited over the network with only low-privilege credentials.

Impact

Successful exploitation enables the attacker to obtain password hashes, which can be cracked offline, and API keys that can be used to impersonate legitimate users. This can lead to privilege escalation and full compromise of administrator accounts, potentially allowing complete control over the ProjeQtor instance [2][3].

Mitigation

The vendor released version 12.4.4 to address this issue. Users should upgrade immediately. Additionally, enforce systematic access control on every request and use indirect object references tied to the user session [2].