CVE-2026-41464
Received Received - Intake
Missing Authorization in ProjeQtor ObjectDetail.php Enables Privilege Escalation

Publication date: 2026-04-27

Last updated on: 2026-04-27

Assigner: VulnCheck

Description
ProjeQtor versions 7.0 through 12.4.3 contain a missing authorization vulnerability in the objectDetail.php endpoint that allows authenticated users with guest-level privileges to retrieve sensitive data belonging to other users including password hashes and API keys. Attackers can bypass access controls by directly accessing the endpoint without ownership or role-based validation to extract administrator credentials and perform privilege escalation.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-27
Last Modified
2026-04-27
Generated
2026-06-16
AI Q&A
2026-04-27
EPSS Evaluated
2026-06-15
NVD
CVE-2026-41464
EUVD
EUVD-2026-25867
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
projeqtor projeqtor From 7.0 (inc) to 12.4.3 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-41464 is a missing authorization vulnerability in ProjeQtor versions 7.0 through 12.4.3, specifically in the objectDetail.php endpoint.

This flaw allows authenticated users with only guest-level privileges to access sensitive data belonging to other users, such as password hashes and API keys.

The vulnerability exists because the endpoint does not properly validate ownership or role-based access controls, enabling attackers to bypass restrictions by directly querying the endpoint.

Exploiting this vulnerability can lead to extraction of administrator credentials and privilege escalation.

Impact Analysis

This vulnerability can have serious impacts including unauthorized access to sensitive user data such as password hashes and API keys.

Attackers with guest-level access can escalate their privileges by extracting administrator credentials, potentially gaining full control over the affected system.

Such unauthorized access and privilege escalation can lead to data breaches, loss of confidentiality, and compromise of system integrity.

Compliance Impact

The vulnerability allows authenticated users with guest-level privileges to access sensitive data of other users, including password hashes and API keys, by bypassing authorization controls.

This unauthorized access to sensitive personal and security-related information could lead to data breaches, which may violate data protection regulations such as GDPR and HIPAA that require strict access controls and protection of personal and sensitive data.

Therefore, exploitation of this vulnerability could result in non-compliance with these common standards and regulations due to failure to adequately protect user data and prevent unauthorized access.

Mitigation Strategies

To mitigate this vulnerability, you should restrict access to the objectDetail.php endpoint to only authorized users and implement proper ownership and role-based access control validation.

Ensure that authenticated users with guest-level privileges cannot access sensitive data belonging to other users.

Consider updating ProjeQtor to a version later than 12.4.3 where this vulnerability is fixed, if such an update is available.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41464. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart