PT-2026-60060 · Unknown · Apollo Portal
Published
2026-07-13
·
Updated
2026-07-15
·
CVE-2025-32781
CVSS v3.1
6.5
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Apollo Portal versions prior to 2.5.0
Description
Apollo Portal fails to verify application and namespace permissions when an authenticated user requests a release by ID. This occurs when
configView.memberOnly.envs is enabled and a request is made to the endpoint 'GET /envs/{env}/releases/{releaseId}'. A low-privileged user who obtains or guesses a valid releaseId can read configuration data from other applications and namespaces because the system does not call the UserPermissionValidator.shouldHideConfigToCurrentUser() function. This may expose sensitive information such as credentials or service endpoints.Recommendations
Update to version 2.5.0.
Restrict Apollo Portal access to trusted users.
Fix
IDOR
Missing Authorization
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Apollo Portal