Galette has groups managers access control bypass on Members

2.1 / 10

LOW

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P

Description

Galette is a membership management web application for non profit organizations. Starting in version 0.9.6 and prior to version 1.2.0, attackers with group manager role can bypass intended restrictions allowing unauthorized access and changes despite role-based controls. Since it requires privileged access initially, exploitation is restricted to malicious insiders or compromised group managers accounts. Version 1.2.0 fixes the issue.

Basic Information

ID CVE-2025-58052

Source GitHub_M

Published Dec 19, 2025 at 16:24

Modified Dec 19, 2025 at 16:30

Affected Product

Vendor galette

Product galette

Version >= 0.9.6, < 1.2.0

Affected Versions galette galette >= 0.9.6, < 1.2.0

CWE Classification

CWE-863

References

github.com /galette/galette/security/advisories/GHSA-gp9g-gf56-fcxx

{
    "lastseen": "",
    "description": "Galette is a membership management web application for non profit organizations. Starting in version 0.9.6 and prior to version 1.2.0, attackers with group manager role can bypass intended restrictions allowing unauthorized access and changes despite role-based controls. Since it requires privileged access initially, exploitation is restricted to malicious insiders or compromised group managers accounts. Version 1.2.0 fixes the issue.",
    "published": "2025-12-19T16:24:10.982Z",
    "modified": "2025-12-19T16:30:00.570Z",
    "type": "cve",
    "title": "Galette has groups managers access control bypass on Members",
    "source": "GitHub_M",
    "references": "https://github.com/galette/galette/security/advisories/GHSA-gp9g-gf56-fcxx",
    "id": "CVE-2025-58052",
    "bulletinFamily": "",
    "cwe": [
        "CWE-863"
    ],
    "cvelist": null,
    "sourceData": "galette galette >= 0.9.6, < 1.2.0",
    "sourceHref": "",
    "cvss": {
        "score": 2.1,
        "severity": "LOW",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "galette",
    "version": ">= 0.9.6, < 1.2.0",
    "vendor": "galette",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Galette has groups managers access control bypass on Members_CVE-2025-58052