CVE-2026-25197
Insecure Direct Object Reference in API Allows Unauthorized Profile Access
Publication date: 2026-04-03
Last updated on: 2026-04-22
Assigner: ICS-CERT
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mygardyn | cloud_api | to 2.12.2026 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-639 | The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability involves a specific API endpoint that allows authenticated users to access other users' profiles by changing the user ID number in the API request. Essentially, once logged in, a user can manipulate the ID parameter to view or potentially interact with data belonging to other users without proper authorization.
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized access to sensitive user information, compromising confidentiality and privacy. Since users can pivot to other profiles, it may result in data breaches, exposure of personal or confidential data, and potential misuse of that information. This can damage trust, lead to identity theft, or other malicious activities.