CVE-2025-53640: User enumeration via API endpoint

CVE Publication: https://www.cve.org/CVERecord?id=CVE-2025-53640

Summary

a Broken Object Level Authorization (BOLA) vulnerability in Indico enables authenticated user enumeration via the /api/principals endpoint, exposing names, emails, and affiliations. Includes exploitation script, request analysis, and screenshots. Affects globally deployed Indico instances (European Organization for Nuclear Research (CERN), United Nations (UN), Massachusetts Institute of Technology (MIT), European Space Agency (ESA), among others).

Details

A Broken Object Level Authorization (BOLA) vulnerability in the open-source application Indico allows mass user enumeration through the /api/principals endpoint.

Originally intended to resolve user IDs in specific form fields, this endpoint can be misused to retrieve personal details of any valid user ID:

• Full name
• Email address
• Title
• Affiliation
• Avatar URL

Exploitation Requirements

• A valid authenticated session is required.
• However, most public Indico instances allow self-registration with no email verification, CAPTCHA, or manual approval.
• This makes the vulnerability practically exploitable by unauthenticated users after trivial account creation.

PoC

Exploit

1

PoC script to be published after responsible disclosure timeline.

Global Impact

Indico is a widely adopted event and conference management platform developed by CERN (European Organization for Nuclear Research), powering academic and institutional infrastructure globally:

• CERN (European Organization for Nuclear Research): Over 900,000 events annually; 200+ rooms booked daily.
• Worldwide: Around 145,000 events/year across 300+ institutions.
• UN (United Nations): Over 180,000 participants/year.
• UNOG (United Nations Office at Geneva): Up to 700,000 users/year.
• Extensively used by universities, laboratories, research institutes, and government agencies.

Examples of affected public instances:

• https://indico.cern.ch/
• https://indico.esa.int/
• https://indico.mit.edu/

Due to its widespread adoption in scientific, academic, and governmental environments, this vulnerability poses serious risks:

• Identity leakage of researchers, staff, and administrators.
• Large-scale privacy breaches and institutional directory exposure.
• Targeted reconnaissance for phishing or social engineering.
• Potential compromise of sensitive research and policy initiatives.

Impact

• Disclosure of personal data (PII)
• Enumeration of high-privilege users (admins, organizers)
• Supports mass phishing and spear-phishing operations
• Violates regulations such as GDPR, LGPD, and internal institutional policies
• May constitute a reportable breach depending on jurisdiction

References

https://github.com/CVE-Hunters/CVE/blob/main/Indico/CVE-2025-53640.md

https://github.com/indico/indico/security/advisories/GHSA-q28v-664f-q6wj

Finder

Rafael Corvino

Contributor

Natan Maia Morette

By: CVE-Hunters