CVE-2025-62292 MEDIUM

CVE-2025-62292

Vendor Sonarsource
Product SonarQube
Weakness CWE-669
Published October 10, 2025
Last update October 10, 2025

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

In SonarQube before 25.6, 2025.3 Commercial, and 2025.1.3 LTA, authenticated low-privileged users can query the /api/v2/users-management/users endpoint and obtain user fields intended for administrators only, including the email addresses of other accounts.

Key dates

02Disclosure timeline

October 10, 2025 CVE published
October 10, 2025 Record updated