CVE-2025-15106
Unknown Unknown - Not Provided
Improper Authorization in getmaxun Authentication Endpoint (router.get

Publication date: 2025-12-27

Last updated on: 2026-04-29

Assigner: VulDB

Description
A weakness has been identified in getmaxun maxun up to 0.0.28. The affected element is the function router.get of the file server/src/routes/auth.ts of the component Authentication Endpoint. Executing manipulation can lead to improper authorization. The attack can be executed remotely. The exploit has been made available to the public and could be exploited. The vendor was contacted early about this disclosure but did not respond in any way.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-27
Last Modified
2026-04-29
Generated
2026-06-16
AI Q&A
2025-12-27
EPSS Evaluated
2026-06-15
NVD
CVE-2025-15106
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
getmaxun maxun 0.0.28
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-285 The product does not perform or incorrectly performs an authorization check when an actor attempts to access a resource or perform an action.
CWE-266 A product incorrectly assigns a privilege to a particular actor, creating an unintended sphere of control for that actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a weakness in the getmaxun maxun software up to version 0.0.28, specifically in the router.get function within the Authentication Endpoint component. It allows an attacker to perform improper authorization by manipulating the function remotely, potentially gaining unauthorized access.

Impact Analysis

The vulnerability can lead to improper authorization, meaning an attacker could remotely exploit it to gain unauthorized access to protected resources or functions, potentially compromising the security of the system.

Compliance Impact

The vulnerability allows unauthorized access to sensitive user information, including email addresses and private API keys, by bypassing proper authorization controls. This improper authorization and exposure of personal data can lead to violations of data protection regulations such as GDPR and HIPAA, which require strict access controls and protection of personal and sensitive information. Therefore, exploitation of this vulnerability could result in non-compliance with these standards due to unauthorized disclosure and potential misuse of protected data. [1, 2, 3]

Detection Guidance

This vulnerability can be detected by monitoring API requests to the /auth/user/:id endpoint for unauthorized access attempts where a valid token is used to access user IDs other than the token owner's. You can detect exploitation attempts by capturing HTTP GET requests that include different user IDs in the URL path while using the same authentication token. For example, using curl commands to test access with a valid token to different user IDs can help identify the vulnerability. Example command: curl -H "Authorization: Bearer <valid_token>" https://<target>/auth/user/2688 and then changing the user ID to see if data for other users is accessible. Network monitoring tools can also be configured to alert on such suspicious token reuse across different user IDs. [3]

Mitigation Strategies

Immediate mitigation steps include restricting access to the vulnerable /auth/user/:id endpoint, monitoring and blocking suspicious requests that attempt to access other users' data, and applying strict access controls. Since no official patch or vendor response is available, it is recommended to upgrade to version 0.0.29 of maxun where the issue is fixed. Alternatively, replace the affected component with a secure alternative. Additionally, review and modify the authorization logic to ensure the user ID is obtained from the authenticated token payload rather than from request parameters, preventing unauthorized access. [2, 3]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-15106. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart