CVE-2025-59683 HIGH

CVE-2025-59683

Vendor Pexip

Product Infinity

Weakness CWE-863 · Incorrect authorization

Published December 25, 2025

Last update December 26, 2025

View on NVD All CVEs

CVSS base score

8.2/10

Attack vector Network

Attack complexity Low

Privileges required None

User interaction None

Confidentiality Low

Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:H

What the vulnerability does

01Description

Pexip Infinity 15.0 through 38.0 before 38.1 has Improper Access Control in the Secure Scheduler for Exchange service, when used with Office 365 Legacy Exchange Tokens. This allows a remote attacker to read potentially sensitive data and excessively consume resources, leading to a denial of service.

Key dates

02Disclosure timeline

December 25, 2025 CVE published

December 26, 2025 Record updated

External resources

03References

NVD — National Vulnerability Database https://nvd.nist.gov/vuln/detail/CVE-2025-59683

Related vulnerabilities

04Related CVE

CVE-2021-36039 Magento Commerce `quoteId` parameter Incorrect Authorization Vulnerability Could Lead To Information Disclosure CVE-2023-31141 OpenSearch issue with fine-grained access control during extremely rare race conditions CVE-2026-8350 Concrete CMS 9.5.0 and below is vulnerable to missing authorization in the bulk_user_assignment.php which can lead to privilege escalation to Administrative Group CVE-2026-45316 Open WebUI: Read-Only Users Can Toggle Note Pin Status via Incorrect Permission Check (Write via Read-Only Access) CVE-2026-21285 Adobe Commerce | Incorrect Authorization (CWE-863)