CVE-2025-62292

Name of the Vulnerable Software and Affected Versions SonarQube versions prior to 25.6 SonarQube 2025.3 Commercial versions prior to 2025.3 SonarQube 2025.1.3 LTA versions prior to 2025.1.3

Description Authenticated users with low privileges can access the /api/v2/users-management/users endpoint to retrieve user information intended only for administrators, including the email addresses of other accounts. The issue occurs when querying this endpoint. The users variable is exposed to unauthorized access.

Recommendations Update SonarQube to version 25.6 or later. Update SonarQube 2025.3 Commercial to version 2025.3 or later. Update SonarQube 2025.1.3 LTA to version 2025.1.3 or later.