CVE-2021-43834
CRITICALelabftw < 4.2.0 - Authentication Bypass via LDAP/SAML User Impersonation
Title source: llmDescription
eLabFTW is an electronic lab notebook manager for research teams. In versions prior to 4.2.0 there is a vulnerability which allows an attacker to authenticate as an existing user, if that user was created using a single sign-on authentication option such as LDAP or SAML. It impacts instances where LDAP or SAML is used for authentication instead of the (default) local password mechanism. Users should upgrade to at least version 4.2.0.
References (2)
Core 2
Core References
Release Notes, Third Party Advisory x_refsource_misc
https://github.com/elabftw/elabftw/releases/tag/4.2.0
Third Party Advisory x_refsource_confirm
https://github.com/elabftw/elabftw/security/advisories/GHSA-98rp-gx76-33ph
Scores
CVSS v3
9.1
EPSS
0.0098
EPSS Percentile
57.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Details
CWE
CWE-287
Status
published
Products (1)
elabftw/elabftw
< 4.2.0
Published
Dec 16, 2021
Tracked Since
Feb 18, 2026