Privilege Escalation Vulnerability in Cerebrate by Cerebrate Project
CVE-2025-66385

9.4CRITICAL

Key Information:

Vendor

Cerebrate-project

Status
Cerebrate
Vendor
CVE Published:
28 November 2025

What is CVE-2025-66385?

An authenticated non-privileged user in Cerebrate prior to version 1.30 can exploit a vulnerability in the UsersController::edit functionality. By manipulating the role_id or organisation_id fields during a user-edit operation, these users can escalate their privileges and gain access to higher roles, such as admin. This flaw represents a significant security concern, allowing unauthorized access to restricted functionalities within the application.

Affected Version(s)

Cerebrate 0 < 1.30

References

https://github.com/cerebrate-project/cerebrate/compare/v1...
https://github.com/cerebrate-project/cerebrate/commit/c9b...
https://vulnerability.circl.lu/api/vulnerability/gcve-1-2...

CVSS V4

Score:
9.4
Severity:
CRITICAL
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Attack Required:
None
Privileges Required:
Undefined
User Interaction:
None

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.