CVE-2025-63291

Name of the Vulnerable Software and Affected Versions Alteryx server versions 2022.1.1.42654 and 2024.1

Description The Alteryx server does not properly validate user authorization when processing API requests that utilize MongoDB object IDs to identify data. Specifically, the server fails to verify if the authenticated user has permission to access the specified MongoDB object ID. This allows attackers to potentially access records belonging to other users without proper authorization. Compromised data may include administrative API keys and private studio API keys. The API endpoints involved are not explicitly specified, but the issue relates to data retrieval based on MongoDB object IDs. The vulnerable variable is the MongoDB object ID used in API requests.

Recommendations Alteryx server version 2022.1.1.42654: At the moment, there is no information about a newer version that contains a fix for this vulnerability. Alteryx server version 2024.1: At the moment, there is no information about a newer version that contains a fix for this vulnerability.