CVE-2025-67796 Overview
CVE-2025-67796 is an improper authorization vulnerability [CWE-284] in IKUS Rdiffweb versions before 2.10.5. The Rdiffweb API fails to enforce binding between the authenticated subject and the targeted user or tenant. Any attacker holding a valid or stolen access token can issue crafted requests to read or modify other users' data. In some cases, attackers can perform privileged actions, enabling cross-tenant access. The flaw affects the multi-tenant security model of the backup management web interface. IKUS resolved the issue in Rdiffweb version 2.10.6.
Critical Impact
Authenticated attackers can access or modify other tenants' backup data and may execute privileged actions across the application.
Affected Products
- IKUS Rdiffweb versions prior to 2.10.5
- Rdiffweb deployments with multi-tenant configurations
- Rdiffweb API endpoints handling user-scoped resources
Discovery Timeline
- 2026-05-04 - CVE-2025-67796 published to NVD
- 2026-05-07 - Last updated in NVD database
Technical Details for CVE-2025-67796
Vulnerability Analysis
The vulnerability resides in Rdiffweb's API authorization layer. The application authenticates requests using access tokens but does not verify that the authenticated subject owns the resource referenced in the request. This decoupling allows any token holder to target endpoints scoped to other users.
An attacker with a low-privilege account or a stolen token can enumerate user identifiers and tenant references in API paths or parameters. The server processes these requests against the targeted resource without rejecting cross-user access. This produces both confidentiality and integrity impact across tenants sharing the same Rdiffweb instance.
The weakness maps to [CWE-284] Improper Access Control. The EPSS score for this CVE is 0.027% as of 2026-05-07.
Root Cause
The Rdiffweb API treats authentication as sufficient evidence of authorization. Endpoints accept user or tenant identifiers from the request without validating that they match the authenticated principal. The missing object-level authorization check is a classic Broken Access Control pattern in REST APIs.
Attack Vector
An attacker authenticates to Rdiffweb with any valid token, including one obtained through credential theft, phishing, or token leakage. The attacker then sends API requests targeting another user's resources by substituting user or tenant identifiers in request paths, query parameters, or bodies. The server returns data belonging to the victim user or applies modifications to the victim's account.
The vulnerability does not require user interaction and is exploitable over the network. Refer to the GitLab rdiffweb Repository for technical details on the affected API surface.
Detection Methods for CVE-2025-67796
Indicators of Compromise
- API request logs showing a single token or session accessing resources tied to multiple distinct user identifiers within a short window.
- Unexpected modifications to user backup configurations or repository metadata not initiated by the resource owner.
- Authentication events followed by access to administrative or cross-tenant endpoints from non-administrative accounts.
Detection Strategies
- Audit Rdiffweb access logs for requests where the authenticated user identifier differs from the user identifier present in the URL path or request payload.
- Correlate token usage patterns to detect a single token enumerating sequential user IDs or tenant IDs.
- Monitor for HTTP 200 responses on user-scoped endpoints accessed by accounts that should not have visibility into those resources.
Monitoring Recommendations
- Enable verbose API access logging on the Rdiffweb application server and forward logs to a centralized SIEM.
- Establish baselines for normal per-user API call volume and alert on deviations consistent with enumeration.
- Track privileged action events such as user creation, permission changes, and repository deletion for execution by non-admin accounts.
How to Mitigate CVE-2025-67796
Immediate Actions Required
- Upgrade Rdiffweb to version 2.10.6 or later, which contains the official fix from IKUS.
- Rotate all active Rdiffweb access tokens and user credentials following the upgrade.
- Review API access logs for the period prior to patching to identify any cross-tenant access attempts.
Patch Information
IKUS released the fix in Rdiffweb version 2.10.6. Refer to the GitLab rdiffweb Release Note for full release details. Operators should pull the fixed version from the official source repository at the GitLab rdiffweb Repository and validate the upgrade in a staging environment before production rollout.
Workarounds
- Restrict network access to the Rdiffweb interface to trusted administrative networks until the patch is applied.
- Reduce the lifetime of access tokens and revoke tokens that are not actively required.
- Place Rdiffweb behind a reverse proxy that enforces additional authorization controls based on user identity claims.
# Upgrade Rdiffweb to the patched version
pip install --upgrade 'rdiffweb>=2.10.6'
# Verify the installed version
rdiffweb --version
# Restart the service to apply the upgrade
systemctl restart rdiffweb
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

