Authorization Issue in Q-Free MaxTime Affects User Group Management
CVE-2025-26371

8.8HIGH

Key Information:

Vendor: Q-free
Status: Maxtime
Vendor: CVE Published:; 12 February 2025

What is CVE-2025-26371?

A missing authorization issue in Q-Free's MaxTime application allows authenticated low-privileged users to maliciously manipulate user group memberships. This vulnerability arises from inadequate access controls in the user-groups routing file, enabling attackers to add users to any group by dispatching specially crafted HTTP requests. This flaw could potentially be exploited to escalate privileges and execute unauthorized actions within the application, compromising the integrity of user roles and access within the system.

Affected Version(s)

MaxTime 0 <= 2.11.0

References

https://www.nozominetworks.com/labs/vulnerability-advisor...

CVSS V3.1

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Feb 12, 2025
Vulnerability Reserved
Feb 7, 2025

Credit

Diego Giubertoni of Nozomi Networks found this bug during a security research activity.

Q-free

What is CVE-2025-26371?

Affected Version(s)

References

CVSS V3.1

Timeline

Credit