CVE-2026-28511 eLabFTW Information Disclosure – Title Exposure via Cross-Scope Search
eLabFTW, an open-source electronic lab notebook platform, contains an information disclosure vulnerability affecting versions before 5.4.2. When an authenticated user performs a numeric search or reference lookup, the system may return resource titles that the user should not have access to view. The actual content of those resources remains protected—only the titles are exposed. This is particularly concerning because titles may contain sensitive information such as project names, patient identifiers, or regulated data that could constitute unauthorized disclosure.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 4.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
- Weaknesses (CWE)
- CWE-200
- Affected products
- 1 configuration(s)
- Published / Modified
- 2026-06-01 / 2026-06-17
NVD description (verbatim)
eLabFTW is an open source electronic lab notebook. Prior to version 5.4.2, in certain cases, an authenticated user performing a numeric reference/search can return results that include resources the requesting user is not authorized to view. The exposed information is limited (only the title). Attempts to access the underlying protected resource content remain blocked by authorization checks. Version 5.4.2 fixes the issue. # Affected Scope Cross-scope visibility of titles. No confirmed bypass of content-level access controls # Preconditions An authenticated user account No special privileges required beyond standard access # Impact This may enable unauthorized disclosure of sensitive information if confidential data is included in resource titles. Examples could include project names, patient identifiers, or other regulated information embedded in titles.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-28511 is a cross-scope visibility issue in eLabFTW's search and reference functionality. The vulnerability allows an authenticated user to enumerate resource titles across authorization boundaries through numeric reference/search operations. The root cause appears to be insufficient scope filtering during search result compilation, permitting disclosure of metadata that should be restricted by the access control model. Content-level authorization checks remain intact, preventing access to the protected resource data itself. The vulnerability is classified as CWE-200 (Exposure of Sensitive Information to an Unauthorized Actor) and carries a CVSS v3.1 score of 4.3 (Medium severity). Exploitation requires valid authentication credentials but no elevated privileges.
Business impact
For organizations using eLabFTW to manage confidential research, clinical data, or regulated information, this vulnerability creates a compliance and confidentiality risk. While attackers cannot read protected content, the leakage of resource titles alone may violate data protection regulations (HIPAA, GDPR, etc.) if those titles contain personally identifiable information or regulated identifiers. Teams managing sensitive projects face potential exposure of project names and research directions. The attack surface is limited to authenticated users, reducing but not eliminating organizational risk, particularly if account credentials are compromised or if internal actors conduct reconnaissance.
Affected systems
eLabFTW versions prior to 5.4.2 are affected. The vulnerability impacts all deployments regardless of deployment model (cloud, on-premises, Docker). Any instance where authenticated users can perform numeric reference or search operations is susceptible. Organizations running version 5.4.2 or later are not affected.
Exploitability
Exploitation requires valid authentication credentials; the vulnerability cannot be exploited by unauthenticated users. Once authenticated, an attacker can trigger the disclosure passively through normal search operations—no special tools, privileges, or user interaction are needed. The simplicity of triggering the vulnerability via standard search functionality makes it accessible to any authenticated user, including those with minimal privileges. However, the attacker must know or guess appropriate search terms to retrieve specific cross-scope resources, which may limit targeted exploitation in practice.
Remediation
Upgrade eLabFTW to version 5.4.2 or later. This is a straightforward remediation as no workarounds or configuration changes are documented. Organizations should verify the upgrade version through the official eLabFTW release notes before deployment. For deployments using containerized images or package managers, update from the official repository to ensure integrity.
Patch guidance
Apply eLabFTW version 5.4.2 or later as a priority update. Test the upgrade in a non-production environment first to confirm compatibility with any custom configurations or integrations. Because this is an information disclosure fix rather than a functional change, the upgrade should not introduce breaking changes. Document the patching in your change management system and verify that search functionality behaves as expected post-upgrade. If using automated deployment pipelines, ensure image registries reflect the updated version.
Detection guidance
Review eLabFTW access logs and search query patterns for unusual numeric reference or search activity that correlates with cross-scope resource access attempts. Search for queries that return results from projects or experiments the user should not access. Monitor authentication logs for account compromise that might precede reconnaissance via search. If you have deployed eLabFTW with sensitive data in titles, conduct a manual audit of recent search activity by privileged or service accounts. Additionally, review the source code of any custom integrations that invoke search or reference APIs to ensure they do not inadvertently leak results to unauthorized contexts.
Why prioritize this
Although the CVSS score is moderate (4.3), prioritize patching based on your data sensitivity and user base. Organizations handling regulated data (healthcare, research, financial) where titles contain identifiable information should treat this as high priority due to compliance implications. Organizations with eLabFTW instances accessible only to trusted internal users with low-sensitivity data may schedule this as routine maintenance. The lack of public exploitation or active KEV listing suggests this is not yet a widespread attack vector, but the ease of triggering the vulnerability justifies prompt attention.
Risk score, explained
The CVSS v3.1 score of 4.3 reflects a network-accessible vulnerability (AV:N) that requires authentication (PR:L) and results in limited confidentiality impact (C:L). No integrity or availability impact is present. The score appropriately weights the requirement for valid credentials, which substantially reduces real-world risk compared to an unauthenticated disclosure flaw. However, the score does not fully capture organizational risk if eLabFTW instances contain highly regulated data in titles, which should inform local risk assessment.
Frequently asked questions
Can an unauthenticated attacker exploit this vulnerability?
No. The vulnerability requires a valid eLabFTW user account. Unauthenticated users cannot access the search functionality that triggers the disclosure.
Does this vulnerability allow attackers to read the full content of protected resources?
No. Content-level authorization checks remain in place and continue to block access to resource data. Only the resource titles are exposed; the actual files, notes, or experiments remain protected.
Is there a workaround if we cannot upgrade immediately?
No formal workaround is documented. Mitigation options are limited to restricting search functionality administratively or reducing sensitive information in resource titles. Upgrading to 5.4.2 is the recommended path.
Does this vulnerability appear in the CISA KEV catalog?
No, this vulnerability is not currently listed in CISA's Known Exploited Vulnerabilities catalog, indicating no confirmed active exploitation in the wild as of the publication date.
This analysis is based on the CVE-2026-28511 advisory and public information available as of June 2026. Actual exploitation requirements, scope, and impact may vary based on specific eLabFTW configurations, deployment topology, and data classification within your organization. Always verify patch applicability and compatibility with your deployment before production rollout. This document does not constitute legal or compliance advice; consult your legal and compliance teams regarding regulatory obligations related to this vulnerability. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10254MEDIUMUnauthenticated Information Disclosure in SourceCodester Pet Grooming Software
- CVE-2026-10854MEDIUMMISP Galaxy Visibility Control Bypass – Unauthorized Private Metadata Access
- CVE-2026-10864MEDIUMMISP Dashboard Widget Field Filtering Bypass (Medium)
- CVE-2026-2128MEDIUMBreeze WordPress Plugin Cache Information Disclosure (v2.5.2 and earlier)
- CVE-2026-36602MEDIUMMercusys AC12G Kernel Memory Disclosure via UPnP
- CVE-2026-36615MEDIUMMercusys AC12G (EU) Unauthenticated Information Disclosure via /agileconfigreset Endpoint
- CVE-2026-36618MEDIUMMercusys AC12G DNS Version Disclosure Vulnerability
- CVE-2026-42358MEDIUMApache Airflow Secret Masking Bypass for Deeply Nested JSON Variables