CVE-2026-28511

MEDIUM

eLabFTW < 5.4.2 - Authenticated Exposure of Sensitive Information via Numeric Reference Search

Title source: llm

Description

eLabFTW is an open source electronic lab notebook. Prior to version 5.4.2, in certain cases, an authenticated user performing a numeric reference/search can return results that include resources the requesting user is not authorized to view. The exposed information is limited (only the title). Attempts to access the underlying protected resource content remain blocked by authorization checks. Version 5.4.2 fixes the issue. # Affected Scope Cross-scope visibility of titles. No confirmed bypass of content-level access controls # Preconditions An authenticated user account No special privileges required beyond standard access # Impact This may enable unauthorized disclosure of sensitive information if confidential data is included in resource titles. Examples could include project names, patient identifiers, or other regulated information embedded in titles.

References (1)

Core 1

Core References

Vendor Advisory x_refsource_confirm

https://github.com/elabftw/elabftw/security/advisories/GHSA-wm4r-p2jg-2mj3

Scores

CVSS v3 4.3

EPSS 0.0019

EPSS Percentile 8.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-200

Status published

Products (1)

elabftw/elabftw < 5.4.2 (2 CPE variants)

Published Jun 01, 2026

Tracked Since Jun 02, 2026