Improper Access Control in microCLAUDIA by INCIBE
CVE-2025-41090

7.6HIGH

Key Information:

Vendor: Ccn-cert
Status: Microclaudia
Vendor: CVE Published:; 28 October 2025

What is CVE-2025-41090?

The microCLAUDIA solution suffers from an improper access control vulnerability that permits authenticated users to execute unauthorized actions across different organizations' systems. By leveraging organization identifiers that can be acquired from a compromised endpoint or deduced manually, an attacker is capable of sending direct API requests. This flaw notably facilitates access between tenants, enabling attackers to list and manage assets remotely, uninstall agents, and delete critical vaccine configurations. Organizations using affected versions of microCLAUDIA must take immediate steps to mitigate this risk.

Affected Version(s)

microCLAUDIA 3.2.0

References

https://www.incibe.es/en/incibe-cert/notices/aviso/improp...

CVSS V4

Score:

7.6

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

None

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Oct 28, 2025
Vulnerability Reserved
Apr 16, 2025

Credit

Alejandro Vázquez Vázquez

CVE-2025-41090 Data

JSON