← back
CVE-2026-41464

ProjeQtor < 12.4.4 Missing Authorization via objectDetail.php

CVSS 7.1 HIGHEPSS 0.3%CWE-862
ProjeQtor versions 7.0 through 12.4.3 contain a missing authorization vulnerability in the objectDetail.php endpoint that allows authenticated users with guest-level privileges to retrieve sensitive data belonging to other users including password hashes and API keys. Attackers can bypass access controls by directly accessing the endpoint without ownership or role-based validation to extract administrator credentials and perform privilege escalation.
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N
Affected products
ProjeQtor · ProjeQtor
public PoCs found2
cve_referencedamiri.fr/en/cves/CVE-2026-41464unverifiedcve_referencegryfman.fr/cves/CVE-2026-41464unverified
⚠ Public resources, to assess the exposure of systems you control or are authorized to test. Test only with authorization.

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →
References
https://damiri.fr/en/cves/CVE-2026-41464https://gryfman.fr/cves/CVE-2026-41464https://www.projeqtor.comhttps://www.vulncheck.com/advisories/projeqtor-missing-authorization-via-objectdetail-php