CVE-2025-70363
Insecure Access Control in Ibexa eZ Platform REST API
Publication date: 2026-03-06
Last updated on: 2026-03-09
Assigner: MITRE
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| ibexa | ez_platform | 2.x |
| ciril_group | ciril_platform | 2.x |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-284 | The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2025-70363 is an access control vulnerability in the REST API of Ibexa eZ Platform and Ciril Platform version 2.x.
This flaw allows unauthenticated attackers to enumerate object IDs and thereby gain unauthorized access to sensitive data.
The issue arises due to incorrect access control mechanisms within the API, enabling attackers to bypass authentication and retrieve protected information.
How can this vulnerability impact me? :
This vulnerability can allow unauthenticated attackers to access sensitive data without proper authorization.
By enumerating object IDs through the REST API, attackers can retrieve protected information that should normally be restricted.
Such unauthorized data access can lead to data breaches, loss of confidentiality, and potential misuse of sensitive information.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability involves incorrect access control in the REST API of Ibexa eZ Platform and Ciril Platform 2.x, allowing unauthenticated attackers to enumerate object IDs and access sensitive data.'}, {'type': 'paragraph', 'content': 'To detect this vulnerability on your system, you can attempt to access the REST API endpoints without authentication and try to enumerate object IDs to see if sensitive data is accessible.'}, {'type': 'paragraph', 'content': 'A possible command to test this could be using curl to send unauthenticated requests to the API, for example:'}, {'type': 'list_item', 'content': 'curl -X GET "http://<target-host>/api/objects/<object-id>"'}, {'type': 'paragraph', 'content': 'By iterating over different object IDs, if you can retrieve data without authentication, the vulnerability is present.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps should focus on restricting unauthenticated access to the REST API endpoints that expose sensitive data.
Ensure proper access control mechanisms are enforced on the API to prevent enumeration of object IDs by unauthenticated users.
If possible, apply any available patches or updates from the vendor that address this access control issue.
As a temporary measure, consider restricting network access to the API to trusted users or IP addresses until a permanent fix is applied.