Patrick Allaert

**Name of the Vulnerable Software and Affected Versions** eZ Publish Ibexa Kernel versions prior to 7.5.28 **Description** An issue was discovered where access control based on object state is mishandled. This issue affects a policy used in roles to limit access to content based on specific object state values. Due to a flawed update, these limitations were ineffective, granting access to content regardless of the object state. The severity of this issue depends on the frontend design, as knowing the URL to the content may or may not be required to access it. **Recommendations** For versions prior to 7.5.28, please apply the fix as soon as possible, especially if object state limitations are used in roles.