CVE-2025-11853 Overview
CVE-2025-11853 is an improper access control vulnerability in Sismics Teedy, an open-source document management system. The flaw affects an unknown function within the /api/file API endpoint in versions up to 1.11. An authenticated remote attacker with low privileges can manipulate the endpoint to bypass intended access restrictions on files. The exploit details have been publicly disclosed through VulDB. The vendor was contacted before public disclosure but did not respond. The vulnerability is categorized under [CWE-266] Incorrect Privilege Assignment.
Critical Impact
Authenticated remote attackers can leverage improper access controls in the /api/file endpoint to interact with file resources beyond their assigned permissions, exposing document confidentiality and integrity.
Affected Products
- Sismics Teedy versions up to and including 1.11
- Component: /api/file API endpoint
- Deployments exposing the Teedy REST API to authenticated users
Discovery Timeline
- 2025-10-16 - CVE-2025-11853 published to NVD
- 2026-04-29 - Last updated in NVD database
Technical Details for CVE-2025-11853
Vulnerability Analysis
The vulnerability resides in the /api/file API endpoint of Sismics Teedy. The endpoint fails to enforce proper access control checks before processing requests against file objects. An authenticated user with low privileges can manipulate request parameters to perform actions on files that should be restricted based on document ownership or sharing permissions.
The weakness maps to [CWE-266] Incorrect Privilege Assignment. Teedy uses a permissions model where files are associated with documents and access is governed by ACL entries. When the affected handler processes requests, it does not consistently validate that the caller holds the required ACL grant for the targeted file. This breaks the boundary between unprivileged users and document owners.
Impact is limited because authentication is required and the disclosed CVSS 4.0 vector reflects partial confidentiality, integrity, and availability effects on a single document scope. No system-wide compromise is documented.
Root Cause
The root cause is missing or insufficient authorization enforcement in the /api/file controller logic. The application authenticates the caller but does not re-verify the caller's right to operate on the specific file resource referenced in the request. This is a classic broken access control pattern at the API layer rather than a memory safety or injection flaw.
Attack Vector
Exploitation requires network access to the Teedy API and valid low-privilege credentials. The attacker issues crafted HTTP requests to /api/file referencing file identifiers belonging to other users or documents the attacker should not access. The server processes the request without the required authorization check. The exploit has been publicly disclosed via VulDB submission #657060, increasing the likelihood of opportunistic abuse against exposed Teedy instances.
No verified proof-of-concept code is included here. Refer to the VulDB entry #328799 and the public disclosure document for request-level details.
Detection Methods for CVE-2025-11853
Indicators of Compromise
- Unexpected HTTP requests to /api/file originating from low-privilege accounts referencing file IDs outside their document scope.
- Repeated enumeration patterns against /api/file/{id} endpoints in Teedy access logs.
- Audit log entries showing file reads, downloads, or modifications inconsistent with the user's ACL grants.
Detection Strategies
- Review Teedy application logs for /api/file requests where the requesting user has no ACL relationship to the targeted document.
- Correlate authentication events with file access events to identify accounts performing access patterns inconsistent with their role.
- Deploy a reverse proxy or WAF rule to log all /api/file traffic with user identity, file ID, and response code for retrospective analysis.
Monitoring Recommendations
- Forward Teedy application logs and reverse proxy logs to a centralized logging platform for correlation and alerting.
- Alert on bursts of /api/file requests from a single session and on 200-OK responses to file IDs the user has not previously interacted with.
- Track newly created low-privilege accounts and monitor their first interactions with the /api/file endpoint.
How to Mitigate CVE-2025-11853
Immediate Actions Required
- Restrict network exposure of the Teedy API to trusted users only, using VPN or IP allowlists where feasible.
- Audit existing user accounts and remove unused or untrusted low-privilege accounts that could be leveraged for exploitation.
- Review document ACLs and remove overly broad sharing that magnifies the impact of access control bypass.
Patch Information
At the time of publication, no vendor patch has been referenced in the NVD entry. The vendor was contacted prior to disclosure but did not respond. Monitor the Sismics Teedy project for updates beyond version 1.11 that address the /api/file authorization logic.
Workarounds
- Place Teedy behind an authenticating reverse proxy that restricts access to known internal users.
- Disable or block the /api/file endpoint at the proxy layer for user groups that do not require API-level file operations.
- Enforce least privilege on document sharing and limit collaborator counts on sensitive documents until a fix is released.
# Example nginx rule to restrict /api/file to an internal CIDR
location /api/file {
allow 10.0.0.0/8;
deny all;
proxy_pass http://teedy_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

