CVE-2025-26374

Name of the Vulnerable Software and Affected Versions: Q-Free MaxTime versions 2.11.0 and earlier

Description: A missing authorization issue in the maxprofile/users/routes.lua file, specifically in the "users endpoint", allows an authenticated attacker with low privileges to enumerate users by sending crafted HTTP requests to the /users endpoint. The username variable can be exploited to gain unauthorized access to user information.

Recommendations: For Q-Free MaxTime versions 2.11.0 and earlier, consider disabling the users endpoint until a patch is available to prevent user enumeration. Restrict access to the maxprofile/users/routes.lua file to minimize the risk of exploitation. Avoid using the username variable in the affected endpoint until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.