PT-2025-36994 · Infrahub · Infrahub

Fatih-Acar

Published

2025-09-09

Updated

2025-09-10

CVE-2025-59036

CVSS v3.1

5.5

Medium

Vector

AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L

Name of the Vulnerable Software and Affected Versions: Infrahub versions prior to 1.3.9 Infrahub versions prior to 1.4.5

Description: Infrahub provides a central hub for managing data, templates, and playbooks. A flaw in the authentication logic allows deleted or expired API tokens to be considered valid, enabling authentication with any API token associated with an active user account.

Recommendations: For versions prior to 1.3.9, delete or deactivate the account associated with a deleted API token to prevent authentication. For versions prior to 1.4.5, delete or deactivate the account associated with a deleted API token to prevent authentication.

Exploit

Fix

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-298

Related Identifiers

CVE-2025-59036

GHSA-V2P7-4PV4-3WWH

Affected Products

Infrahub

PT-2025-36994 · Infrahub · Infrahub

CVE-2025-59036

Weakness Enumeration

Related Identifiers

Affected Products

References · 12