CVE-2025-9609: Missing Function-Level Access Control in /educacenso/consulta Endpoint
CVE Publication: https://www.cve.org/CVERecord?id=CVE-2025-9609
Summary
A Broken Access Control vulnerability was identified in the /educacenso/consulta endpoint of the i-Educar application. This issue allows authenticated users without the required role to access functionalities or data that should be restricted, resulting in an elevation of privilege and unauthorized access.
Details
Vulnerable Endpoint: GET /educacenso/consulta
Authentication: Required (but insufficient authorization checks)
Role required: Just app access
Affected scenario: A user without the required role is still able to directly access the endpoint.
The application fails to enforce proper role-based access control (RBAC) on the /educacenso/consulta endpoint. As a result, users with lower privilege levels can access sensitive data and functionalities that should be restricted to higher-privileged roles.
PoC
Request using a session from a user without the Educacenso role:
| |
Observed Result: The server responds with HTTP 200 and returns restricted content.
Expected Result: The server should respond with HTTP 403 (Forbidden).
Impact
- Unauthorized access to sensitive educational census data;
- Elevation of privilege from a basic user to roles with access to restricted modules;
- Potential manipulation of sensitive data if write operations are accessible;
- Breach of confidentiality and integrity of protected information;
- Compliance violations if sensitive personal data is exposed to unauthorized users.
Reference
https://github.com/marcelomulder/CVE/blob/main/i-educar/CVE-2025-9608.md
Finder
By: CVE-Hunters