What the vulnerability does
01Description
A user with non-Admin access can change a configuration file on the client to modify the Server URL.
CVSS base score
7.8/10
CVSS vector
CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Key dates
02Disclosure timeline
April 10, 2023
CVE published
February 10, 2025
Record updated
External resources
03References
Related vulnerabilities
04Related CVE
CVE-2021-22862 Improper access control in GitHub Enterprise Server leading to the disclosure of Actions secrets to forks
CVE-2026-7644 ChatGPTNextWeb NextChat actions.ts addMcpServer improper authorization
CVE-2025-6713 MongoDB Server may be susceptible to privilege escalation due to $mergeCursors stage
CVE-2020-1720
CVE-2021-32523 QSAN Storage Manager - Improper Authorization
