Cyber Posture

CVE-2025-67493

High

Published: 17 December 2025

Published
17 December 2025
Modified
30 January 2026
KEV Added
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:L
EPSS Score 0.0018 39.2th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Description

Homarr is an open-source dashboard. Prior to version 1.45.3, it was possible to craft an input which allowed privilege escalation and getting access to groups of other users due to missing sanitization of inputs in ldap search query. The vulnerability…

more

could impact all instances using ldap authentication where a malicious actor had access to a user account. Version 1.45.3 has a patch for the issue.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly requires validation and sanitization of application inputs, such as those in LDAP search queries, to prevent crafted inputs from enabling privilege escalation.

SI-2 Flaw Remediation good match
prevent

Mandates timely identification, testing, and installation of software patches, such as Homarr version 1.45.3, to remediate the input validation flaw and prevent exploitation.

AC-6 Least Privilege partial match
prevent

Enforces least privilege for user accounts, limiting the scope and impact of privilege escalation even if attackers craft malicious LDAP inputs using a valid account.

Security SummaryAI

CVE-2025-67493 is an improper input validation vulnerability (CWE-20, CWE-90) in Homarr, an open-source dashboard. In versions prior to 1.45.3, the application fails to sanitize inputs used in LDAP search queries, enabling attackers to manipulate queries for privilege escalation and unauthorized access to other users' groups. This issue affects all Homarr instances configured with LDAP authentication.

A malicious actor requires access to any valid user account within a vulnerable Homarr instance using LDAP authentication to exploit the flaw. By crafting a specially designed input for the LDAP search query, the attacker can escalate their privileges and obtain membership in groups belonging to other users. Successful exploitation grants high confidentiality and integrity impacts, with a CVSS v3.1 base score of 7.5 (AV:N/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:L), reflecting network accessibility but dependence on high privileges, user interaction, and high attack complexity, with changed scope.

The official advisory from the Homarr project at https://github.com/homarr-labs/homarr/security/advisories/GHSA-59gp-q3xx-489q confirms the vulnerability and states that version 1.45.3 includes a patch addressing the input sanitization deficiency in LDAP queries. Security practitioners should upgrade affected instances to 1.45.3 or later to mitigate the risk.

Details

CWE(s)
CWE-20CWE-90

Affected Products

homarr
homarr
≤ 1.45.3

MITRE ATT&CK Enterprise TechniquesAI

T1068 Exploitation for Privilege Escalation Privilege Escalation
Adversaries may exploit software vulnerabilities in an attempt to elevate privileges.
attack.mitre.org →
T1098.007 Additional Local or Domain Groups Persistence
An adversary may add additional local or domain groups to an adversary-controlled account to maintain persistent access to a system or domain.
attack.mitre.org →
Why these techniques?

Vulnerability enables privilege escalation via LDAP query manipulation (T1068) and unauthorized addition to other users' groups (T1098.007).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References