CVE-2025-63291
BaseFortify
Publication date: 2025-11-14
Last updated on: 2025-11-18
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| alteryx | server | 2022.1.1.42654 |
| alteryx | server | 2024.1 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-648 | The product does not conform to the API requirements for a function call that requires extra privileges. This could allow attackers to gain privileges by causing the function to be called incorrectly. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability occurs in the Alteryx server versions 2022.1.1.42654 and 2024.1, where the server uses MongoDB object IDs to identify data requested via API calls. However, the server does not verify if the authenticated user has permission to access the data associated with the specified MongoDB object ID. As a result, an attacker can specify certain MongoDB object IDs to access records belonging to other users without proper authorization, including sensitive information like administrative API keys and private studio API keys.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized data access, allowing attackers to retrieve sensitive information such as administrative API keys and private studio API keys. This unauthorized access can compromise the security of the system, potentially leading to further exploitation, data breaches, and loss of control over administrative functions.