CVE-2025-3646
HIGHPetlibro < 1.7.31 - Unauthenticated Authorization Bypass via Device Share API
Title source: llmDescription
Petlibro Smart Pet Feeder Platform versions up to 1.7.31 contains an authorization bypass vulnerability that allows unauthorized users to add users as shared owners to any device by exploiting missing permission checks. Attackers can send requests to the device share API to gain unauthorized access to devices and view owner information without proper authorization validation.
References (2)
Core 2
Core References
Product third-party-advisory
technical-description
https://bobdahacker.com/blog/petlibro
Third Party Advisory third-party-advisory
https://www.vulncheck.com/advisories/petlibro-smart-pet-feeder-platform-through-authorization-bypass-via-device-share-api
Scores
CVSS v3
7.3
EPSS
0.0019
EPSS Percentile
9.2%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-306
Status
published
Products (1)
petlibro/petlibro
< 1.7.31
Published
Jan 04, 2026
Tracked Since
Feb 18, 2026