CVE-2025-15097
📋 TL;DR
This vulnerability in Alteryx Server allows attackers to bypass authentication via manipulation of the /gallery/api/status/ endpoint. Remote attackers can exploit this to gain unauthorized access to the system. Organizations running vulnerable versions of Alteryx Server are affected.
💻 Affected Systems
- Alteryx Server
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise allowing data exfiltration, privilege escalation, and lateral movement within the network
Likely Case
Unauthorized access to sensitive business intelligence data and analytics workflows
If Mitigated
Limited impact with proper network segmentation and access controls preventing lateral movement
🎯 Exploit Status
Exploit details are publicly available in the GitHub gist reference
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2023.1.1.13.486, 2023.2.1.10.293, 2024.1.1.9.236, 2024.2.1.6.125, or 2025.1.1.1.31
Vendor Advisory: https://help.alteryx.com/release-notes/en/release-notes/server-release-notes/server-2025-1-release-notes.html
Restart Required: Yes
Instructions:
1. Download the appropriate patched version from Alteryx official sources. 2. Backup current configuration and data. 3. Install the update following Alteryx documentation. 4. Restart Alteryx Server services. 5. Verify functionality.
🔧 Temporary Workarounds
Network Access Restriction
allRestrict access to Alteryx Server to trusted IP addresses only
API Endpoint Blocking
allBlock access to the vulnerable /gallery/api/status/ endpoint
🧯 If You Can't Patch
- Implement strict network segmentation to isolate Alteryx Server from other critical systems
- Deploy web application firewall (WAF) rules to block exploitation attempts targeting the vulnerable endpoint
🔍 How to Verify
Check if Vulnerable:
Check Alteryx Server version against affected versions list. Test if unauthenticated access to /gallery/api/status/ returns sensitive information.Check Version:
Check Alteryx Server administration console or configuration files for version informationVerify Fix Applied:
Verify version is updated to one of the patched versions and test that authentication is properly enforced on the /gallery/api/status/ endpoint📡 Detection & Monitoring
Log Indicators:
- Unauthorized access attempts to /gallery/api/status/
- Authentication bypass logs
- Unusual API calls from unexpected sources
Network Indicators:
- HTTP requests to /gallery/api/status/ without authentication headers
- Traffic patterns indicating authentication bypass
SIEM Query:
source="alteryx" AND (url="/gallery/api/status/" OR event="authentication_failure")🔗 References
- https://gist.github.com/apostolovd/f84631eed2f0c0e83e2e174b1480f08c
- https://help.alteryx.com/release-notes/en/release-notes/server-release-notes/server-2025-1-release-notes.html
- https://ict-strypes.eu/wp-content/uploads/2025/12/Alteryx-Second-Research.pdf
- https://vuldb.com/?ctiid.338428
- https://vuldb.com/?id.338428
- https://vuldb.com/?submit.710169
