CERT/CC VU#653116 | CISA Advisory ICSA-26-055-03 | All CVEs | Case Repository
- CVE: CVE-2026-25197
- Gr0m IDs: Gr0m-007, Gr0m-023
- CVSS 3.1: 9.1 (Critical)
- Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
- CWE: CWE-639 (Authorization Bypass Through User-Controlled Key)
- Status: CONFIRMED
Two REST API endpoints return user data without per-user authorization checks:
/api/usersreturns the full user list. No authentication is required./api/user/{id}returns the profile of the user identified by{id}. No verification is performed that the requesting party is authorized to access that user's record.
User identifiers are sequential integers, allowing enumeration of all 134,215+ user accounts and their associated devices via the /api/user/{id} endpoint.
GET [REDACTED — Cloud API host]/api/users
Authentication: NONE
Returns the complete user list. No credentials required.
GET [REDACTED — Cloud API host]/api/user/{user_id}
Sequential integer IDs. Any valid ID returns that user's data.
- Full name, email address, physical address
- Phone numbers and partial credit card data (
last_four) - Device associations and serial numbers
- Account settings and configuration
/api/users— no authentication chain at all, returns full user list/api/user/{id}— sequential IDOR, any valid ID returns that user's data
- PII exposure for 134,215+ users
- Complete user-to-device mapping
- Privacy violation at scale
- Implement authorization checks on all user/device data endpoints
- Replace sequential IDs with UUIDs
- Validate authenticated user owns the requested resource
- Rotate API credentials
- Implement rate limiting on lookup endpoints
See CVE-2026-25197.md for the complete CISA-aligned advisory.
Researcher: Michael Groberman — Gr0m Contact: michael@groberman.tech · LinkedIn