When guest takes over : CVE-2026-41464

A high severity authorization issue has been identified in ProjeQtOr. CVE-2026-41464 allows authenticated low-privileged users to access sensitive information belonging to other users, including password hashes and API keys, due to missing authorization checks.

Tags: #Web #ProjeQtOr #Access Control
Categories: CVE
Published: 27, Apr 2026
Reading time: 3 minutes
Co-Author: Yasha
CVSS: 7.1
Target: ProjeQtOr >= v7.0 and <= v12.4.3

Introduction

This article covers another vulnerability we found during our research on ProjeQtOr: a missing authorization issue.

If you want more context about ProjeQtOr itself, I already introduced the software in the first post of this series: From login to admin : CVE-2026-41462 .

Here the issue is differents from the previous ones, and involves an access control flaw that allowed low-privileged authenticated users to access sensitive information about other users, including password hashes and API keys.

Vulnerability summary

The vulnerability is a missing authorization check affecting the objectDetail.php endpoint.

A low-privileged authenticated user, such as a guest account, could access sensitive information related to other users. This included data that should never be exposed to such accounts, such as password hashes and API keys.

The problem is a classic access control issue: the application allowed the request to reach sensitive objects without properly checking whether the current user had the right to view them.

This kind of bug is often less spectacular than an RCE, but it can be very serious. Access control is one of the most important parts of any application dealing with users, roles and business data. It even is the number one issue in the OWASP Top 10 of 2025 , showing how common and impactful these issues are.

Attack surface

The vulnerability required authentication, but only with a low-privileged account.

That means the attacker did not need administrative access. A guest-level user was enough to reach data that should have been restricted.

The affected endpoint returned object details, but the authorization logic did not sufficiently enforce ownership or role-based restrictions before returning sensitive fields.

In practice, this could allow an attacker to collect information about privileged users and potentially use exposed API keys or password hashes to move further inside the application.

Recommended fix

Every endpoint returning object details should enforce authorization server-side.

The application should not rely on the frontend to hide sensitive data. The backend must check, for every request, whether the authenticated user is allowed to access the requested object.

Access control bugs are often introduced when endpoints are reused in multiple contexts. For this reason, the safest approach is to make authorization checks explicit and systematic.

Conclusion

Be careful on the access control logic, one endpoint is enough to leak information and this should be treated seriously during development, for every endpoint, for every field, for every user role.

Here it is a vertical issue, allowing to retrieve informations, but it could be an horizontal one, allowing modification of other users data, or deletion.

Another happy finding for us, thanks again for reading this article, hope you liked it !

Disclaimer

This article is shared for educational and defensive purposes. Do not test this vulnerability on systems you do not own or have explicit permission to assess.