API Misconfiguration in Control Panel Affects Enrollment Systems by Palantir
CVE-2025-64400

4.1MEDIUM

Key Information:

Vendor: Palantir
Status: Com.palantir.controlpanel:control-panel
Vendor: CVE Published:; 18 December 2025

What is CVE-2025-64400?

The Control Panel's user creation API allows pre-registration into an enrollment and organization before a user's initial login. While this API checks that the requestor has edit permissions on the enrollment-level user directory, it fails to validate that the enrollment editor is properly associated with the organization for which they are adding a user. This oversight can lead to unauthorized access and manipulation of user accounts in the system.

Affected Version(s)

com.palantir.controlpanel:control-panel * < 1.1401.0

com.palantir.controlpanel:control-panel 1.1395.1

com.palantir.controlpanel:control-panel 1.1384.1

References

https://palantir.safebase.us/?tcuUid=52a9fd2f-1868-48cb-a...

CVSS V3.1

Score:

4.1

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Changed

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Dec 18, 2025
Vulnerability Reserved
Oct 31, 2025

CVE-2025-64400 Data

JSON