Access Control

Introduction

This article covers another vulnerability we found during our research on ProjeQtOr: a missing authorization issue.

If you want more context about ProjeQtOr itself, I already introduced the software in the first post of this series: From login to admin : CVE-2026-41462 .

Here the issue is differents from the previous ones, and involves an access control flaw that allowed low-privileged authenticated users to access sensitive information about other users, including password hashes and API keys.