Primary

Context

Infrahub Authentication Bypass Vulnerability Allowing Deleted or Expired API Tokens to be Valid

Vulnerability

A vulnerability exists in Infrahub versions prior to 1.3.9 and 1.4.5, where the authentication logic incorrectly validates deleted or expired API tokens. This flaw allows any API token linked to an active user account to authenticate successfully, potentially leading to unauthorized access. The issue has been addressed in versions 1.3.9 and 1.4.5.

Impact

Exploitation of this vulnerability allows deleted or expired API tokens to be used for authentication, potentially leading to unauthorized access.

Remediation

Users can update to Infrahub versions 1.3.9 or 1.4.5 to address this vulnerability. Alternatively, as a temporary measure, users can delete or deactivate the account associated with a deleted API token to prevent that token from being used for authentication.

Added: Sep 9, 2025, 10:16 PM

Updated: Sep 9, 2025, 10:16 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

5.0

remediation

0.0

relevance

0.5

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

0.6

exploitability

5.0

remediation

0.0

relevance

0.5

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Infrahub Authentication Bypass Vulnerability Allowing Deleted or Expired API Tokens to be Valid

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating