CVE-2025-63291
Analyzed Analyzed - Analysis Complete
BaseFortify

Publication date: 2025-11-14

Last updated on: 2026-06-01

Assigner: MITRE

Description
When processing API requests, the Alteryx server 2022.1.1.42654 and 2024.1 used MongoDB object IDs to uniquely identify the data being requested by the caller. The Alteryx server did not check whether the authenticated user had permission to access the specified MongoDB object ID. By specifying particlar MongoDB object IDs, callers could obtain records for other users without proper authorization. Records retrievable using this attack included administrative API keys and private studio api keys.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-11-14
Last Modified
2026-06-01
Generated
2026-06-16
AI Q&A
2025-11-14
EPSS Evaluated
2026-06-15
NVD
CVE-2025-63291
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
alteryx server 2022.1.1.42654
alteryx server 2024.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-648 The product does not conform to the API requirements for a function call that requires extra privileges. This could allow attackers to gain privileges by causing the function to be called incorrectly.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability occurs in the Alteryx server versions 2022.1.1.42654 and 2024.1, where the server uses MongoDB object IDs to identify data requested via API calls. However, the server does not verify if the authenticated user has permission to access the data associated with the specified MongoDB object ID. As a result, an attacker can specify certain MongoDB object IDs to access records belonging to other users without proper authorization, including sensitive information like administrative API keys and private studio API keys.

Impact Analysis

This vulnerability can lead to unauthorized data access, allowing attackers to retrieve sensitive information such as administrative API keys and private studio API keys. This unauthorized access can compromise the security of the system, potentially leading to further exploitation, data breaches, and loss of control over administrative functions.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-63291. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart