CVE-2026-41464 HIGH

CVE-2026-41464: ProjeQtor < 12.4.4 Missing Authorization via objectDetail.php

Vendor Projeqtor

Product ProjeQtor

Weakness CWE-862 · Missing authorization

Published April 27, 2026

Last update May 14, 2026

View on NVD All CVEs

CVSS base score

7.1/10

Attack vector Network

Attack complexity Low

Privileges required Low

User interaction None

Confidentiality —

Integrity —

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

What the vulnerability does

Description

ProjeQtor versions 7.0 through 12.4.3 contain a missing authorization vulnerability in the objectDetail.php endpoint that allows authenticated users with guest-level privileges to retrieve sensitive data belonging to other users including password hashes and API keys. Attackers can bypass access controls by directly accessing the endpoint without ownership or role-based validation to extract administrator credentials and perform privilege escalation.

Key dates

Disclosure timeline

April 27, 2026 CVE published

May 14, 2026 Record updated