Philippedelteil

**Name of the Vulnerable Software and Affected Versions** Open Design Alliance CDE inWEB SDK versions prior to 2025.3 **Description** A vulnerability was discovered that allows exposure of sensitive information to an unauthorized actor. Installing CDE Server with default settings enables unauthorized users to visit the Prometheus metrics page, which can help attackers understand more about the target application and aid in further investigation and exploitation. **Recommendations** For versions prior to 2025.3, consider disabling access to the Prometheus metrics page as a temporary workaround until a patch is available. Restrict access to the CDE Server to minimize the risk of exploitation. Avoid using default settings when installing CDE Server. At the moment, there is no information about a newer version that contains a fix for this vulnerability.