Continuous Software Aangine Broken Access Control Vulnerability

A broken access control vulnerability has been identified in Continuous Software Aangine version 2025.2. This issue allows low-privileged authenticated users to access several admin-restricted API endpoints and obtain sensitive information. The vulnerability arises because these APIs do not properly validate user roles or scope claims within the JWT token, enabling unauthorized access to administrative resources. Affected endpoints include those related to template management, integration job listings, logging and monitoring functions, and portfolio or project data retrieval.

Impact

Exploitation of this vulnerability leads to unauthorized access to sensitive administrative information, such as internal configuration data, integration job details, logs, and portfolio or project-related records.

Reproduction

To reproduce this vulnerability, a low-privileged authenticated user can send HTTP requests directly to the admin-restricted API endpoints. The absence of proper authorization checks at the API layer allows these requests to bypass role and scope validations, resulting in unauthorized access to sensitive administrative data.

Remediation

The vendor has implemented backend authorization controls to address this vulnerability. It has been fixed in the current release following remediation efforts and verification testing.