← volver
CVE-2025-59036

Infrahub allows authentication with deleted and expired API tokens

CVSS 5.5 MEDIUMEPSS 0.2%CWE-298
Vexday Risk Score
13Bajo
Decisión SSVC (CISA)
Track
Sin señal de explotación → monitorear
CVSS 5.5EPSS 0.2%KEV nãoPoC Patch
Ciclo de vida
09 sept 2025Publicada en NVD
Recomendación: Monitorear — sin señal de explotación por ahora.
Infrahub offers a central hub to manage data, templates, and playbooks. Prior to versiond 1.3.9 and 1.4.5, a bug in the authentication logic will cause API tokens that were deleted and/or expired to be considered valid. This means that any API token that is associated with an active user account can authenticate successfully. This issue is fixed in versions 1.3.9 and 1.4.5. As a workaround, users can delete or deactivate the account associated with a deleted API token to prevent that token from authenticating.
CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L
Productos afectados
opsmill · infrahub

¿Quieres saber si tu infraestructura está expuesta a esto?

Hablar con TrueHacking →
Referencias
https://github.com/opsmill/infrahub/security/advisories/GHSA-v2p7-4pv4-3wwh