This allows to access all PDFs created in the last 24 hours by guessing the IDs. This would be possible by triggering the creation of a PDF, determining its ID in the GraphQL request and count upwards or downwards. This happens because the permission check is only active if a user has a person.
if has_person(info.context) and info.context.user.person != pdf_file.person:added Security core-4.0 part::backend prio::1 type::bug workflow::current-todo labels
assigned to @hansegucker
1180-confidential-issue to address this issue created branch 1180-confidential-issue to address this issue
mentioned in merge request !1692 (merged)
closed with merge request !1692 (merged)
mentioned in commit 17a14979
made the issue visible to everyone
changed title from Not-logged in users can access all PDF files to Not-logged in users can access all PDF files (CVE-2025-25683)