CVE-2025-10696

MEDIUM

OpenSupports 4.11.0 - Incorrect Authorization via Supervised Users Endpoint

Title source: llm

Description

OpenSupports exposes an endpoint that allows the list of 'supervised users' for any account to be edited, but it does not validate whether the actor is the owner of that list. A Level 1 staff member can modify the supervision relationship of a third party (the target user), who can then view the tickets of the added 'supervised' users. This breaks the authorization model and filters the content of other users' tickets.This issue affects OpenSupports: 4.11.0.

References (2)

Core 2

Core References

Exploit, Vendor Advisory third-party-advisory

https://fluidattacks.com/advisories/stratovarius

Product product

https://github.com/opensupports/opensupports

View Writeup ZIP pw:eip

Scores

CVSS v3 5.4

EPSS 0.0020

EPSS Percentile 9.7%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact partial

Details

CWE

CWE-863

Status published

Products (2)

opensupports/opensupports 4.11.0

OpenSupports/OpenSupports 4.11.0

Published Oct 03, 2025

Tracked Since Feb 18, 2026