CVE-2026-28511
eLabFTW Title Exposure via Numeric Search
Publication date: 2026-06-01
Last updated on: 2026-06-01
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| elabftw | elabftw | to 5.4.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-200 | The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in eLabFTW, an open source electronic lab notebook, in versions prior to 5.4.2. It allows an authenticated user performing a numeric reference or search to receive results that include titles of resources they are not authorized to view. However, the actual content of these protected resources remains inaccessible due to authorization checks.
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized disclosure of sensitive information if confidential data is included in the titles of resources. For example, project names, patient identifiers, or other regulated information embedded in titles could be exposed to users without proper authorization.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability may impact compliance with standards and regulations such as GDPR and HIPAA because it can result in unauthorized disclosure of sensitive or regulated information contained in resource titles. Even though the full content remains protected, exposure of confidential identifiers or personal data in titles could violate data protection and privacy requirements.
What immediate steps should I take to mitigate this vulnerability?
The immediate step to mitigate this vulnerability is to upgrade eLabFTW to version 5.4.2 or later, where the issue has been fixed.