PT-2026-60060 · Unknown · Apollo Portal

Published

2026-07-13

·

Updated

2026-07-15

·

CVE-2025-32781

CVSS v3.1

6.5

Medium

VectorAV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Name of the Vulnerable Software and Affected Versions Apollo Portal versions prior to 2.5.0
Description Apollo Portal fails to verify application and namespace permissions when an authenticated user requests a release by ID. This occurs when configView.memberOnly.envs is enabled and a request is made to the endpoint 'GET /envs/{env}/releases/{releaseId}'. A low-privileged user who obtains or guesses a valid releaseId can read configuration data from other applications and namespaces because the system does not call the UserPermissionValidator.shouldHideConfigToCurrentUser() function. This may expose sensitive information such as credentials or service endpoints.
Recommendations Update to version 2.5.0. Restrict Apollo Portal access to trusted users.

Fix

IDOR

Missing Authorization

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

CVE-2025-32781
GHSA-JXPJ-9J24-W337

Affected Products

Apollo Portal