CVE-2026-28511 Overview
CVE-2026-28511 is an information disclosure vulnerability in eLabFTW, an open source electronic lab notebook used by research and laboratory teams. Versions prior to 5.4.2 allow an authenticated user performing a numeric reference or search query to receive results that include resource titles the user is not authorized to view. The exposed data is limited to the title field, and authorization checks continue to block access to the underlying resource content. Version 5.4.2 resolves the issue. The vulnerability is tracked under CWE-200: Exposure of Sensitive Information to an Unauthorized Actor.
Critical Impact
Authenticated users can enumerate titles of restricted resources through numeric reference and search queries, potentially exposing sensitive project names, patient identifiers, or regulated information embedded in titles.
Affected Products
- eLabFTW versions prior to 5.4.2
- Self-hosted eLabFTW instances exposing search and reference endpoints to authenticated users
- Multi-team eLabFTW deployments where cross-team resource segregation is required
Discovery Timeline
- 2026-06-01 - CVE-2026-28511 published to the National Vulnerability Database
- 2026-06-03 - Last updated in NVD database
Technical Details for CVE-2026-28511
Vulnerability Analysis
The flaw resides in how eLabFTW resolves numeric references and search results. When an authenticated user submits a query that matches resources by numeric identifier, the server returns matching entries without fully evaluating per-resource authorization scope. As a result, the response can include the titles of resources belonging to other teams, users, or restricted scopes that the requester is not entitled to view.
The disclosure is limited to the title attribute. Attempts to follow up and load the full resource record, attachments, or body content remain blocked by the application's authorization layer. The vulnerability therefore creates an enumeration primitive rather than a direct content compromise.
This is classified as an Information Exposure issue under CWE-200. The Exploit Prediction Scoring System (EPSS) reports a probability of 0.029% as of 2026-06-04, and no public proof-of-concept or in-the-wild exploitation has been reported.
Root Cause
The root cause is an inconsistency between the search and reference resolution path and the standard resource access path. The search routine evaluates the requester's session but does not apply the same scope filter used when fetching a resource directly. Titles are returned from the index before the authorization filter rejects the entry, exposing metadata the user should not see.
Attack Vector
Exploitation requires an authenticated account with standard, non-privileged access. The attacker issues numeric reference or search requests across a range of identifiers and harvests the returned titles. The attack is performed over the network against the eLabFTW web interface or API, with low complexity and no user interaction required. The sensitivity of the disclosure depends entirely on what organizations encode into resource titles, such as study codes, subject identifiers, or project names.
No verified exploit code is publicly available. Refer to the eLabFTW GHSA-wm4r-p2jg-2mj3 advisory for vendor-confirmed technical detail.
Detection Methods for CVE-2026-28511
Indicators of Compromise
- Authenticated sessions issuing high-volume sequential or numeric-range search and reference queries against eLabFTW endpoints.
- Search responses containing resource titles owned by teams or users outside the requester's membership scope.
- Single accounts retrieving search result sets that materially exceed historical baselines for that user.
Detection Strategies
- Enable verbose application logging in eLabFTW and capture search and reference API calls with the requesting user, query parameters, and result identifiers.
- Correlate result resource ownership against the requester's team membership to flag cross-scope title returns.
- Alert on enumeration patterns such as monotonic identifier sweeps or repeated short-interval search queries from one session.
Monitoring Recommendations
- Forward eLabFTW web server and application logs to a centralized logging or SIEM platform for retention and query.
- Track per-user query rate and result volume against historical baselines, and alert on deviations.
- Audit recent search and reference activity for any account suspected of compromise to determine whether unauthorized title enumeration occurred.
How to Mitigate CVE-2026-28511
Immediate Actions Required
- Upgrade all eLabFTW instances to version 5.4.2 or later, which contains the authorization fix.
- Review and sanitize existing resource titles to remove sensitive identifiers such as patient IDs, regulated codes, or confidential project names.
- Audit application logs for prior numeric reference and search activity that may indicate exploitation before patching.
Patch Information
eLabFTW version 5.4.2 resolves CVE-2026-28511 by aligning the authorization scope check applied during numeric reference and search resolution with the check used on direct resource access. Administrators should apply the upgrade following the standard eLabFTW upgrade procedure. See the eLabFTW Security Advisory GHSA-wm4r-p2jg-2mj3 for the official vendor notice.
Workarounds
- Where immediate patching is not possible, restrict eLabFTW access to a smaller trusted user population through network controls or authentication policy.
- Establish an organizational policy that excludes sensitive identifiers from resource titles and stores them only in access-controlled body content.
- Increase monitoring of authenticated search activity until the upgrade to 5.4.2 is complete.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
