MEDIUM 4.3

CVE-2026-28511 eLabFTW Information Disclosure – Title Exposure via Cross-Scope Search

eLabFTW, an open-source electronic lab notebook platform, contains an information disclosure vulnerability affecting versions before 5.4.2. When an authenticated user performs a numeric search or reference lookup, the system may return resource titles that the user should not have access to view. The actual content of those resources remains protected—only the titles are exposed. This is particularly concerning because titles may contain sensitive information such as project names, patient identifiers, or regulated data that could constitute unauthorized disclosure.

Source data · NVD / CISA · public domain

CVSS
3.1 · 4.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Weaknesses (CWE)
CWE-200
Affected products
1 configuration(s)
Published / Modified
2026-06-01 / 2026-06-17

NVD description (verbatim)

eLabFTW is an open source electronic lab notebook. Prior to version 5.4.2, in certain cases, an authenticated user performing a numeric reference/search can return results that include resources the requesting user is not authorized to view. The exposed information is limited (only the title). Attempts to access the underlying protected resource content remain blocked by authorization checks. Version 5.4.2 fixes the issue. # Affected Scope Cross-scope visibility of titles. No confirmed bypass of content-level access controls # Preconditions An authenticated user account No special privileges required beyond standard access # Impact This may enable unauthorized disclosure of sensitive information if confidential data is included in resource titles. Examples could include project names, patient identifiers, or other regulated information embedded in titles.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-28511 is a cross-scope visibility issue in eLabFTW's search and reference functionality. The vulnerability allows an authenticated user to enumerate resource titles across authorization boundaries through numeric reference/search operations. The root cause appears to be insufficient scope filtering during search result compilation, permitting disclosure of metadata that should be restricted by the access control model. Content-level authorization checks remain intact, preventing access to the protected resource data itself. The vulnerability is classified as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) and carries a CVSS v3.1 score of 4.3 (Medium severity). Exploitation requires valid authentication credentials but no elevated privileges.

Business impact

For organizations using eLabFTW to manage confidential research, clinical data, or regulated information, this vulnerability creates a compliance and confidentiality risk. While attackers cannot read protected content, the leakage of resource titles alone may violate data protection regulations (HIPAA, GDPR, etc.) if those titles contain personally identifiable information or regulated identifiers. Teams managing sensitive projects face potential exposure of project names and research directions. The attack surface is limited to authenticated users, reducing but not eliminating organizational risk, particularly if account credentials are compromised or if internal actors conduct reconnaissance.

Affected systems

eLabFTW versions prior to 5.4.2 are affected. The vulnerability impacts all deployments regardless of deployment model (cloud, on-premises, Docker). Any instance where authenticated users can perform numeric reference or search operations is susceptible. Organizations running version 5.4.2 or later are not affected.

Exploitability

Exploitation requires valid authentication credentials; the vulnerability cannot be exploited by unauthenticated users. Once authenticated, an attacker can trigger the disclosure passively through normal search operations—no special tools, privileges, or user interaction are needed. The simplicity of triggering the vulnerability via standard search functionality makes it accessible to any authenticated user, including those with minimal privileges. However, the attacker must know or guess appropriate search terms to retrieve specific cross-scope resources, which may limit targeted exploitation in practice.

Remediation

Upgrade eLabFTW to version 5.4.2 or later. This is a straightforward remediation as no workarounds or configuration changes are documented. Organizations should verify the upgrade version through the official eLabFTW release notes before deployment. For deployments using containerized images or package managers, update from the official repository to ensure integrity.

Patch guidance

Apply eLabFTW version 5.4.2 or later as a priority update. Test the upgrade in a non-production environment first to confirm compatibility with any custom configurations or integrations. Because this is an information disclosure fix rather than a functional change, the upgrade should not introduce breaking changes. Document the patching in your change management system and verify that search functionality behaves as expected post-upgrade. If using automated deployment pipelines, ensure image registries reflect the updated version.

Detection guidance

Review eLabFTW access logs and search query patterns for unusual numeric reference or search activity that correlates with cross-scope resource access attempts. Search for queries that return results from projects or experiments the user should not access. Monitor authentication logs for account compromise that might precede reconnaissance via search. If you have deployed eLabFTW with sensitive data in titles, conduct a manual audit of recent search activity by privileged or service accounts. Additionally, review the source code of any custom integrations that invoke search or reference APIs to ensure they do not inadvertently leak results to unauthorized contexts.

Why prioritize this

Although the CVSS score is moderate (4.3), prioritize patching based on your data sensitivity and user base. Organizations handling regulated data (healthcare, research, financial) where titles contain identifiable information should treat this as high priority due to compliance implications. Organizations with eLabFTW instances accessible only to trusted internal users with low-sensitivity data may schedule this as routine maintenance. The lack of public exploitation or active KEV listing suggests this is not yet a widespread attack vector, but the ease of triggering the vulnerability justifies prompt attention.

Risk score, explained

The CVSS v3.1 score of 4.3 reflects a network-accessible vulnerability (AV:N) that requires authentication (PR:L) and results in limited confidentiality impact (C:L). No integrity or availability impact is present. The score appropriately weights the requirement for valid credentials, which substantially reduces real-world risk compared to an unauthenticated disclosure flaw. However, the score does not fully capture organizational risk if eLabFTW instances contain highly regulated data in titles, which should inform local risk assessment.

Frequently asked questions

Can an unauthenticated attacker exploit this vulnerability?

No. The vulnerability requires a valid eLabFTW user account. Unauthenticated users cannot access the search functionality that triggers the disclosure.

Does this vulnerability allow attackers to read the full content of protected resources?

No. Content-level authorization checks remain in place and continue to block access to resource data. Only the resource titles are exposed; the actual files, notes, or experiments remain protected.

Is there a workaround if we cannot upgrade immediately?

No formal workaround is documented. Mitigation options are limited to restricting search functionality administratively or reducing sensitive information in resource titles. Upgrading to 5.4.2 is the recommended path.

Does this vulnerability appear in the CISA KEV catalog?

No, this vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities catalog, indicating no confirmed active exploitation in the wild as of the publication date.

This analysis is based on the CVE-2026-28511 advisory and public information available as of June 2026. Actual exploitation requirements, scope, and impact may vary based on specific eLabFTW configurations, deployment topology, and data classification within your organization. Always verify patch applicability and compatibility with your deployment before production rollout. This document does not constitute legal or compliance advice; consult your legal and compliance teams regarding regulatory obligations related to this vulnerability. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).