Access Control Flaw in Nagios Network Analyzer by Nagios
CVE-2025-28059

7.5HIGH

Key Information:

Vendor: Nagios
Status: Nagios Network Analyzer
Vendor: CVE Published:; 18 April 2025

Summary

An access control flaw in Nagios Network Analyzer version 2024R1.0.3 permits former users to maintain access to system functionalities even after their accounts have been deleted. This vulnerability arises due to inadequate session termination and improper handling of expired API tokens, allowing unauthorized users to exploit leftovers of active sessions and gain access to sensitive operations. Administrators need to ensure that any user deletion triggers a complete invalidation of all associated sessions and API tokens.

References

https://github.com/aakashtyal/Residual-Data-Access-Post-U...

https://www.nagios.com/changelog/#network-analyze

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Apr 18, 2025