Authentication Logic Flaw in Infrahub Product by Opsmill
CVE-2025-59036

5.5MEDIUM

Key Information:

Vendor: Opsmill
Status: Infrahub
Vendor: CVE Published:; 9 September 2025

What is CVE-2025-59036?

Infrahub by Opsmill suffers from a significant vulnerability in its authentication logic, affecting versions prior to 1.3.9 and 1.4.5. This flaw allows deleted or expired API tokens to still be recognized as valid, enabling unauthorized access for any tokens linked to active user accounts. This security risk necessitates immediate attention, with the recommended solution being to upgrade to the latest versions or deactivate accounts associated with compromised tokens.

Affected Version(s)

infrahub < 1.3.9 < 1.3.9

infrahub >= 1.4.0, < 1.4.5 < 1.4.0, 1.4.5

References

https://github.com/opsmill/infrahub/security/advisories/G...

x_refsource_CONFIRM

CVSS V3.1

Score:

5.5

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Sep 9, 2025
Vulnerability Reserved
Sep 8, 2025