CVE-2025-3518

MEDIUM

unblu spark 7.0.1-7.54.1 - Improper Access Control via Direct API Request

Title source: llm

Description

It technically possible for a user to upload a file to a conversation despite the file upload functionality being disabled. The file upload functionality can be enabled or disabled for specific use cases through configuration. In case the functionality is disabled for at least one use case, the system nevertheless allows files to be uploaded through direct API requests. During the upload file, interception and allowed file type rules are still applied correctly. If file sharing is generally enabled, this issue is not of concern.

References (1)

Core 1

Core References

Vendor Advisory

https://www.unblu.com/en/docs/latest/security-bulletins/#UBL-2025-002

Scores

CVSS v3 4.3

EPSS 0.0020

EPSS Percentile 9.8%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-284

Status published

Products (1)

unblu/spark 7.0.1 - 7.54.1

Published Apr 22, 2025

Tracked Since Feb 18, 2026