CVE-2025-64400

Summary

Control Panel provides an API for pre-registering into an enrollment and organization prior to a user's first login. The API for creating users checks that the account requesting a user creation has edit on the enrollment-level user directory, but is missing a separate check that the enrollment editor has access (or belongs to) the organization that they are adding a user to.

Affected Software

VendorProductVersion RangeStatus
Palantircom.palantir.controlpanel:control-panel1.1395.1unaffected
Palantircom.palantir.controlpanel:control-panel1.1384.1unaffected
Palantircom.palantir.controlpanel:control-panel1.1401.0 < *unaffected
Palantircom.palantir.controlpanel:control-panel* < 1.1401.0affected
Palantircom.palantir.controlpanel:control-panel1.1346.1unaffected
Palantircom.palantir.controlpanel:control-panel1.1352.1unaffected
Palantircom.palantir.controlpanel:control-panel1.1352.5unaffected

Weaknesses

  • CWE-284: The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References