Primary

Context

Newgen OmniDocs Unauthenticated Broken Function Level Authorization Vulnerability Allowing Account Takeover

Vulnerability

A critical unauthenticated Broken Function Level Authorization vulnerability has been identified in Newgen OmniDocs version 11.0. This vulnerability allows remote users to access the LDAP administration interface and invoke backend API endpoints without authentication. As a result, attackers can unauthorizedly view and modify LDAP domain configurations, potentially leading to a full account takeover.

Impact

Exploitation of this vulnerability could result in unauthorized access to the LDAP admin interface, allowing for unauthorized viewing and modification of LDAP domain configurations. This could facilitate a full account takeover.

Reproduction

To reproduce this vulnerability, access the LDAP Admin UI without authentication by navigating to the appropriate endpoint. The OmniDocs LDAP Admin Desktop will load successfully, indicating that authentication is not required.

Added: Dec 15, 2025, 5:19 PM

Updated: Dec 15, 2025, 10:30 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

8.7

remediation

0.0

relevance

1.5

threat

6.4

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

8.7

remediation

0.0

relevance

1.5

threat

6.4

urgency

2.9

incentive

5.8

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Newgen OmniDocs Unauthenticated Broken Function Level Authorization Vulnerability Allowing Account Takeover

Vulnerability

Impact

Reproduction

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating