CVE-2025-59034

Published: Sep 10, 2025
Updated: Sep 11, 2025
CVE: <a href="https://nvd.nist.gov/vuln/detail/CVE-2025-59034" target="_blank" rel="noopener"> CVE-2025-59034
GHSA: <a href="https://github.com/advisories/GHSA-4269-mcfh-cp7q" target="_blank" rel="noopener"> GHSA-4269-mcfh-cp7q
Severity: Medium
Exploit:

Impact

A legacy API to retrieve user details could be misused to retrieve profile details of other users without having admin permissions due to a broken access check.

Patches

You should to update to Indico 3.3.8 as soon as possible. See the docs for instructions on how to update.

Workarounds

It is possible to restrict access to the affected API (e.g. in the webserver config) which is most likely unused anyway and thus will not break anything.