CVE-2025-11581 – PowerJob versions up to 5.1.2 have an authoriza... (How to Fix)

Q: What is the severity of CVE-2025-11581?

CVE-2025-11581 has a CVSS score of 5.3 (MEDIUM). PowerJob versions up to 5.1.2 have an authorization bypass vulnerability in the OpenAPIController's /openApi/runJob endpoint. This allows remote attackers to execute jobs without proper authentication. All PowerJob deployments using vulnerable versions are affected.

📋 TL;DR

PowerJob versions up to 5.1.2 have an authorization bypass vulnerability in the OpenAPIController's /openApi/runJob endpoint. This allows remote attackers to execute jobs without proper authentication. All PowerJob deployments using vulnerable versions are affected.

💻 Affected Systems

Products:

PowerJob

Versions: up to 5.1.2

Operating Systems: All

Default Config Vulnerable: ⚠️ Yes

Notes: Affects deployments with OpenAPI endpoints enabled (default configuration).

📦 What is this software?

Powerjob by Powerjob

View all CVEs affecting Powerjob →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers could execute arbitrary jobs with system-level privileges, potentially leading to data manipulation, service disruption, or lateral movement within the environment.

🟠

Likely Case

Unauthorized users could trigger legitimate jobs out of sequence, causing operational disruption or data inconsistencies.

🟢

If Mitigated

With proper network segmentation and authentication controls, impact would be limited to unauthorized job execution within the PowerJob application scope.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ✅ No

Complexity: MEDIUM

Exploit details are publicly disclosed but no proof-of-concept code is available. Attack requires understanding of PowerJob's job execution API.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 5.1.3 or later

Vendor Advisory: https://github.com/PowerJob/PowerJob/issues/1128

Restart Required: No

Instructions:

1. Update PowerJob to version 5.1.3 or later. 2. Verify the /openApi/runJob endpoint now requires proper authorization. 3. Test job execution functionality.

🔧 Temporary Workarounds

Disable OpenAPI Endpoint

all

Temporarily disable the vulnerable /openApi endpoint if not required

Configure PowerJob to disable openapi.enabled property

Network Access Control

all

Restrict network access to PowerJob's API endpoints

Use firewall rules to limit access to PowerJob ports from trusted sources only

🧯 If You Can't Patch

Implement strict network segmentation to isolate PowerJob instances
Add API gateway with authentication/authorization in front of PowerJob endpoints

🔍 How to Verify

Check if Vulnerable:

Check PowerJob version. If version ≤5.1.2 and OpenAPI endpoints are enabled, system is vulnerable.

Check Version:

Check PowerJob application logs or configuration files for version information

Verify Fix Applied:

After updating to ≥5.1.3, attempt unauthorized access to /openApi/runJob endpoint - should receive authentication error.

📡 Detection & Monitoring

Log Indicators:

Unauthorized access attempts to /openApi/runJob
Job executions from unexpected sources

Network Indicators:

HTTP POST requests to /openApi/runJob without authentication headers

SIEM Query:

source="powerjob" AND (uri_path="/openApi/runJob" AND NOT auth_success="true")

📊 Metadata

CVE ID: CVE-2025-11581

CVSS v3 Score: 5.3 (MEDIUM)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

CWE: CWE-862

EPSS Score: 0.05% exploit probability (15.5th percentile)

Published: October 10, 2025

Last Updated: February 24, 2026

🔗 References

https://github.com/PowerJob/PowerJob/
https://github.com/PowerJob/PowerJob/issues/1128 Issue Tracking,Third Party Advisory
https://vuldb.com/?ctiid.327903 Permissions Required,VDB Entry
https://vuldb.com/?id.327903 Third Party Advisory,VDB Entry
https://vuldb.com/?submit.662558 Third Party Advisory,VDB Entry

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-11581, you might also want to check these: