CVE-2025-10696

5.4 MEDIUM

OpenSupports exposes an endpoint that allows the list of 'supervised users' for any account to be edited, but it does not validate whethe...

Published: 2025-10-03 · Last updated: 2026-06-01

Severity and scoring

CVSS: 5.4 MEDIUM
Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
CWE: CWE-863

Affected products

Vendor	Product
opensupports	opensupports

Description

OpenSupports exposes an endpoint that allows the list of 'supervised users' for any account to be edited, but it does not validate whether the actor is the owner of that list. A Level 1 staff member can modify the supervision relationship of a third party (the target user), who can then view the tickets of the added 'supervised' users. This breaks the authorization model and filters the content of other users' tickets.This issue affects OpenSupports: 4.11.0.

Source: NVD

References

[NVD]https://nvd.nist.gov/vuln/detail/CVE-2025-10696
[Exploit reference]https://fluidattacks.com/advisories/stratovarius
[Other]https://github.com/opensupports/opensupports
[Exploit reference]https://fluidattacks.com/advisories/stratovarius

Related CVEs

Same CWE

CVE-2026-53860 — OpenClaw before 2026.5.7 contains a sender policy bypass vulnerability in BlueBubbles that allows participants to match allowlist entries... (4.2 MEDIUM)
CVE-2026-53855 — OpenClaw before 2026.4.2 contains an inline-eval bypass vulnerability allowing authenticated operators to weaken strict allowlist checks ... (8.1 HIGH)
CVE-2026-53854 — OpenClaw before 2026.4.25 contains a privilege escalation vulnerability in internal and webchat command authentication that allows sender... (6.5 MEDIUM)
CVE-2026-53853 — OpenClaw before 2026.5.12 contains an argument pattern validation bypass in the exec allowlist that allows attackers to execute disallowe... (8.3 HIGH)
CVE-2026-5149 — The RTMKit plugin for WordPress is vulnerable to Incorrect Authorization in all versions up to, and including, 2.0.7 This is due to the g... (6.5 MEDIUM)