Liferay Portal, Incorrect Authorization, CVE-2025-29418 (Moderate)

Listen to this Post

This CVE-2025-29418 is an Improper Access Control vulnerability within Liferay’s API Builder component. The flaw exists in the authorization check mechanism for API endpoints. When a request is made to an API Builder endpoint for an object entry, the system incorrectly assigns guest user permissions instead of validating if the unauthenticated user has explicit view rights. This authorization bypass allows a remote attacker to craft specific HTTP GET requests to endpoints that should be restricted. By accessing these endpoints, a guest user can retrieve sensitive information stored within object entries, such as personally identifiable information or other internal data, without requiring any authentication credentials or a valid session.
Platform: Liferay Portal/DXP
Version: 7.4.0-7.4.3.124
Vulnerability: Authorization Bypass
Severity: Moderate

date: 2025-09-10

Prediction: Patch: 2025-09-17

What Undercode Say:

curl -X GET “http://target/api/endpoint”

grep -r “authorization” /liferay/webapps/ROOT/WEB-INF/

cat /liferay/portal-ext.properties | grep “api”

How Exploit:

Unauthenticated API Requests

Protection from this CVE

Update to 1.0.32

Impact:

Sensitive Data Disclosure

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: github.com
Extra Source Hub:
Undercode

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top