CVE-2025-63291
Analyzed Analyzed - Analysis Complete

BaseFortify

Vulnerability report for CVE-2025-63291, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2025-11-14

Last updated on: 2026-06-01

Assigner: MITRE

Description

When processing API requests, the Alteryx server 2022.1.1.42654 and 2024.1 used MongoDB object IDs to uniquely identify the data being requested by the caller. The Alteryx server did not check whether the authenticated user had permission to access the specified MongoDB object ID. By specifying particlar MongoDB object IDs, callers could obtain records for other users without proper authorization. Records retrievable using this attack included administrative API keys and private studio api keys.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2025-11-14
Last Modified
2026-06-01
Generated
2026-07-06
AI Q&A
2025-11-14
EPSS Evaluated
2026-07-05
NVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
alteryx server 2022.1.1.42654
alteryx server 2024.1

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-648 The product does not conform to the API requirements for a function call that requires extra privileges. This could allow attackers to gain privileges by causing the function to be called incorrectly.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability occurs in the Alteryx server versions 2022.1.1.42654 and 2024.1, where the server uses MongoDB object IDs to identify data requested via API calls. However, the server does not verify if the authenticated user has permission to access the data associated with the specified MongoDB object ID. As a result, an attacker can specify certain MongoDB object IDs to access records belonging to other users without proper authorization, including sensitive information like administrative API keys and private studio API keys.

Impact Analysis

This vulnerability can lead to unauthorized data access, allowing attackers to retrieve sensitive information such as administrative API keys and private studio API keys. This unauthorized access can compromise the security of the system, potentially leading to further exploitation, data breaches, and loss of control over administrative functions.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-63291. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart