CVE-2025-67274
Unknown Unknown - Not Provided

Information Disclosure in continuous.software Aangine via Multiple Modules

Vulnerability report for CVE-2025-67274, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-01-26

Last updated on: 2026-02-12

Assigner: MITRE

Description

An issue in continuous.software aangine v.2025.2 allows a remote attacker to obtain sensitive information via the excel-integration-service template download module, integration-persistence-service job listing module, portfolio-item-service data retrieval module endpoints

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-01-26
Last Modified
2026-02-12
Generated
2026-07-06
AI Q&A
2026-01-26
EPSS Evaluated
2026-07-05
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
continuous.software aangine 2025.2

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-200 The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2025-67274 is a Broken Access Control vulnerability (specifically Broken Object Level Authorization - BOLA) in the aangine application version 2025.2. It allows low-privileged authenticated users to access multiple admin-restricted backend API endpoints without proper authorization. This happens because the APIs fail to correctly validate user roles or scope claims in JWT tokens, enabling attackers to bypass role and scope checks and access sensitive administrative data by sending direct HTTP requests to these endpoints. [3]

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive information such as internal configuration data, integration job details, logs, and portfolio or project-related records. Attackers exploiting this flaw can gain access to administrative data without proper permissions, potentially compromising the confidentiality of critical business information. [3]

Detection Guidance

This vulnerability can be detected by monitoring for unauthorized HTTP requests to admin-restricted API endpoints related to template download, integration job listings, and portfolio data retrieval. Specifically, look for requests to endpoints of the excel-integration-service, integration-persistence-service, and portfolio-item-service modules made by low-privileged users. Commands to detect such activity could include using network traffic inspection tools like tcpdump or Wireshark to filter HTTP requests to these endpoints, or using curl commands to test access control by attempting to access these endpoints with low-privileged credentials. For example, a curl command to test access might be: curl -i -H "Authorization: Bearer <low-privilege-token>" https://<target>/api/excel-integration-service/template-download. Monitoring logs for unauthorized access attempts or unexpected data retrieval from these endpoints can also help detect exploitation attempts. [3]

Mitigation Strategies

Immediate mitigation steps include applying the vendor's patch or update that implements proper backend authorization controls to restrict access to admin-restricted API endpoints. Until the patch is applied, restrict access to the affected API endpoints by network-level controls such as firewall rules or API gateway policies to limit access only to authorized administrative users. Additionally, monitor logs and network traffic for suspicious access patterns to these endpoints and revoke any compromised credentials. Inform users about the vulnerability and enforce strict authentication and authorization policies. [3]

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-67274. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart