CVE-2026-41464
Missing Authorization in ProjeQtor ObjectDetail.php Enables Privilege Escalation
Publication date: 2026-04-27
Last updated on: 2026-04-27
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| projeqtor | projeqtor | From 7.0 (inc) to 12.4.3 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-862 | The product does not perform an authorization check when an actor attempts to access a resource or perform an action. |
Attack-Flow Graph
AI Powered Q&A
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should restrict access to the objectDetail.php endpoint to only authorized users and implement proper ownership and role-based access control validation.
Ensure that authenticated users with guest-level privileges cannot access sensitive data belonging to other users.
Consider updating ProjeQtor to a version later than 12.4.3 where this vulnerability is fixed, if such an update is available.
Can you explain this vulnerability to me?
CVE-2026-41464 is a missing authorization vulnerability in ProjeQtor versions 7.0 through 12.4.3, specifically in the objectDetail.php endpoint.
This flaw allows authenticated users with only guest-level privileges to access sensitive data belonging to other users, such as password hashes and API keys.
The vulnerability exists because the endpoint does not properly validate ownership or role-based access controls, enabling attackers to bypass restrictions by directly querying the endpoint.
Exploiting this vulnerability can lead to extraction of administrator credentials and privilege escalation.
How can this vulnerability impact me? :
This vulnerability can have serious impacts including unauthorized access to sensitive user data such as password hashes and API keys.
Attackers with guest-level access can escalate their privileges by extracting administrator credentials, potentially gaining full control over the affected system.
Such unauthorized access and privilege escalation can lead to data breaches, loss of confidentiality, and compromise of system integrity.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows authenticated users with guest-level privileges to access sensitive data of other users, including password hashes and API keys, by bypassing authorization controls.
This unauthorized access to sensitive personal and security-related information could lead to data breaches, which may violate data protection regulations such as GDPR and HIPAA that require strict access controls and protection of personal and sensitive data.
Therefore, exploitation of this vulnerability could result in non-compliance with these common standards and regulations due to failure to adequately protect user data and prevent unauthorized access.