CVE-2025-59036

Summary

Infrahub offers a central hub to manage data, templates, and playbooks. Prior to versiond 1.3.9 and 1.4.5, a bug in the authentication logic will cause API tokens that were deleted and/or expired to be considered valid. This means that any API token that is associated with an active user account can authenticate successfully. This issue is fixed in versions 1.3.9 and 1.4.5. As a workaround, users can delete or deactivate the account associated with a deleted API token to prevent that token from authenticating.

Affected Software

VendorProductVersion RangeStatus
opsmillinfrahub< 1.3.9affected
opsmillinfrahub>= 1.4.0, < 1.4.5affected

Weaknesses

  • CWE-298: CWE-298: Improper Validation of Certificate Expiration

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References