CVE-2025-64066

Name of the Vulnerable Software and Affected Versions Primakon Pi Portal version 1.0.18

Description The /api/v2/user/register endpoint in Primakon Pi Portal is susceptible to a Broken Access Control issue. The endpoint does not enforce authorization checks, enabling unauthenticated attackers to submit POST requests to create new user accounts directly in the application’s local database. This circumvents the expected security design, which depends on an external Identity Provider for initial user registration and assumes internal user creation is restricted to administrators. This issue can potentially be combined with other weaknesses to escalate privileges and fully compromise the application. The endpoint can also be used to enumerate existing user accounts, which could facilitate social engineering or more focused attacks.

Recommendations Implement proper authorization checks on the /api/v2/user/register endpoint to ensure only authenticated and authorized users can create new accounts.