CVE-2025-59036
September 09, 2025
Infrahub offers a central hub to manage data, templates, and playbooks. Prior to versiond 1.3.9 and 1.4.5, a bug in the authentication logic will cause API tokens that were deleted and/or expired to be considered valid. This means that any API token that is associated with an active user account can authenticate successfully. This issue is fixed in versions 1.3.9 and 1.4.5. As a workaround, users can delete or deactivate the account associated with a deleted API token to prevent that token from authenticating.
Affected Packages
https://github.com/opsmill/infrahub.git (GITHUB):
Affected version(s) >=infrahub-v0.9.1 <infrahub-v1.3.9Fix Suggestion:
Update to version infrahub-v1.3.9https://github.com/opsmill/infrahub.git (GITHUB):
Affected version(s) >=infrahub-v1.4.0 <infrahub-v1.4.5Fix Suggestion:
Update to version infrahub-v1.4.5infrahub-server (PYTHON):
Affected version(s) >=1.0.1 <1.3.9Fix Suggestion:
Update to version 1.3.9infrahub-server (PYTHON):
Affected version(s) >=1.4.0 <1.4.5Fix Suggestion:
Update to version 1.4.5Related Resources (7)
Do you need more information?
Contact UsCVSS v4
Base Score:
5.1
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
LOW
User Interaction
PASSIVE
Vulnerable System Confidentiality
LOW
Vulnerable System Integrity
LOW
Vulnerable System Availability
LOW
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
5.5
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
REQUIRED
Scope
UNCHANGED
Confidentiality
LOW
Integrity
LOW
Availability
LOW
Weakness Type (CWE)
Improper Validation of Certificate Expiration
EPSS
Base Score:
0.07
