{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-41464", "assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "state": "PUBLISHED", "assignerShortName": "VulnCheck", "dateReserved": "2026-04-20T16:07:47.310Z", "datePublished": "2026-04-27T15:10:24.699Z", "dateUpdated": "2026-04-27T15:10:24.699Z"}, "containers": {"cna": {"providerMetadata": {"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10", "shortName": "VulnCheck", "dateUpdated": "2026-04-27T15:10:24.699Z"}, "title": "ProjeQtor < 12.4.4 Missing Authorization via objectDetail.php", "problemTypes": [{"descriptions": [{"lang": "en", "cweId": "CWE-862", "description": "CWE-862 Missing Authorization", "type": "CWE"}]}], "affected": [{"vendor": "ProjeQtor", "product": "ProjeQtor", "versions": [{"status": "affected", "version": "7.0", "lessThanOrEqual": "12.4.3", "versionType": "semver"}, {"status": "unaffected", "version": "12.4.4", "versionType": "semver"}], "defaultStatus": "unaffected"}], "descriptions": [{"lang": "en", "value": "ProjeQtor versions 7.0 through 12.4.3 contain a missing authorization vulnerability in the objectDetail.php endpoint that allows authenticated users with guest-level privileges to retrieve sensitive data belonging to other users including password hashes and API keys. Attackers can bypass access controls by directly accessing the endpoint without ownership or role-based validation to extract administrator credentials and perform privilege escalation.", "supportingMedia": [{"type": "text/html", "base64": false, "value": "ProjeQtor versions 7.0 through 12.4.3 contain a missing authorization vulnerability in the objectDetail.php endpoint that allows authenticated users with guest-level privileges to retrieve sensitive data belonging to other users including password hashes and API keys. Attackers can bypass access controls by directly accessing the endpoint without ownership or role-based validation to extract administrator credentials and perform privilege escalation.<br>"}]}], "references": [{"url": "https://damiri.fr/en/cves/CVE-2026-41464", "tags": ["technical-description", "exploit"]}, {"url": "https://gryfman.fr/cves/CVE-2026-41464", "tags": ["technical-description", "exploit"]}, {"url": "https://www.projeqtor.com", "tags": ["product"]}, {"url": "https://www.vulncheck.com/advisories/projeqtor-missing-authorization-via-objectdetail-php"}], "metrics": [{"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV4_0": {"attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnIntegrityImpact": "NONE", "subIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "version": "4.0", "baseSeverity": "HIGH", "baseScore": 7.1, "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N"}}, {"format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}], "cvssV3_1": {"version": "3.1", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE", "baseSeverity": "MEDIUM", "baseScore": 6.5, "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N"}}], "credits": [{"lang": "en", "value": "Yassine Damiri", "type": "finder"}, {"lang": "en", "value": "No\u00e9 Susset", "type": "finder"}], "source": {"discovery": "EXTERNAL"}, "x_generator": {"engine": "Vulnogram 1.0.1"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "ProjeQtor versions 7.0 through 12.4.3 contain a missing authorization vulnerability in the objectDetail.php endpoint that allows authenticated users with guest-level privileges to retrieve sensitive data belonging to other users including password hashes and API keys. Attackers can bypass access controls by directly accessing the endpoint without ownership or role-based validation to extract administrator credentials and perform privilege escalation."}], "id": "CVE-2026-41464", "lastModified": "2026-04-27T18:35:53.583", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "disclosure@vulncheck.com", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.1, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "disclosure@vulncheck.com", "type": "Secondary"}]}, "published": "2026-04-27T16:16:45.647", "references": [{"source": "disclosure@vulncheck.com", "url": "https://damiri.fr/en/cves/CVE-2026-41464"}, {"source": "disclosure@vulncheck.com", "url": "https://gryfman.fr/cves/CVE-2026-41464"}, {"source": "disclosure@vulncheck.com", "url": "https://www.projeqtor.com"}, {"source": "disclosure@vulncheck.com", "url": "https://www.vulncheck.com/advisories/projeqtor-missing-authorization-via-objectdetail-php"}], "sourceIdentifier": "disclosure@vulncheck.com", "vulnStatus": "Deferred", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-862"}], "source": "disclosure@vulncheck.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[7.0,12.4.3]"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "12.4.4"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "ProjeQtor", "source": "cna", "vendor": "ProjeQtor"}, "product": "projeqtor", "vendor": "projeqtor"}], "analysis": {"en": {"generated_at": "2026-04-28T04:20:55.196268+00:00", "value": {"mitigation_remediation": ["Upgrade to ProjeQtor v12.4.4 or later to remove the missing authorization bug.", "Restrict guest\u2011level users from accessing the objectDetail.php endpoint by adjusting role permissions or removing guest roles.", "Monitor audit logs for unexpected calls to objectDetail.php and enforce least privilege for all users."], "summary": {"action": "Apply Patch", "impact": "Privilege Escalation via Missing Authorization"}, "threat_synthesis": {"affected_systems": "The affected products are ProjeQtor, a software project management platform, specifically versions 7.0 to 12.4.3. All installations of these versions run the vulnerable objectDetail.php endpoint.", "description_and_impact": "ProjeQtor versions 7.0 through 12.4.3 have a missing authorization flaw in the objectDetail.php endpoint that lets any authenticated user with guest permissions retrieve sensitive data belonging to other users, including password hashes and API keys. This flaw also enables attackers to obtain administrator credentials, enabling privilege escalation. The weakness is an Authentication Bypass (CWE\u2011862).", "risk_and_exploitability": "The CVSS score is 7.1, indicating a high severity of vulnerability. Although a precise EPSS score is unavailable, the lack of a KEV listing suggests no publicly disclosed exploit yet. Attackers require authentication with guest\u2011level access, so the risk is primarily internal or on networks where legitimate users have guest accounts. If the endpoint is reachable, an attacker can easily retrieve privileged data and elevate privileges."}}}}, "created": "2026-04-28T02:45:10.915461+00:00", "updated": "2026-04-28T04:30:21.144064+00:00", "vendors": ["projeqtor", "projeqtor$PRODUCT$projeqtor"]}