CVE-2025-26370

Name of the Vulnerable Software and Affected Versions: Q-Free MaxTime versions 2.11.0 and earlier

Description: A missing authorization issue in maxprofile/user-groups/routes.lua allows an authenticated, low-privileged attacker to remove privileges from user groups via crafted HTTP requests.

Recommendations: For Q-Free MaxTime versions 2.11.0 and earlier, update to a version later than 2.11.0 to resolve the issue. As a temporary workaround, consider restricting access to the maxprofile/user-groups/routes.lua file until a patch is available. Restrict low-privileged users from making HTTP requests to sensitive routes to minimize the risk of exploitation.