Login Sign Up

CVE-2025-63291

5.4 MEDIUM
Authentication Bypass

📋 TL;DR

This CVE describes an Insecure Direct Object Reference (IDOR) vulnerability in Alteryx Server where authenticated users can access other users' data by manipulating MongoDB object IDs in API requests. The vulnerability allows unauthorized access to sensitive information including administrative and private API keys. Affected systems are Alteryx Server versions 2022.1.1.42654 and 2024.1.

💻 Affected Systems

Products:
  • Alteryx Server
Versions: 2022.1.1.42654 and 2024.1
Operating Systems: All supported platforms
Default Config Vulnerable: ⚠️ Yes
Notes: Affects all deployments of the specified versions regardless of configuration.

📦 What is this software?

Alteryx Server by Alteryx

View all CVEs affecting Alteryx Server →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers gain administrative API keys, leading to complete system compromise, data exfiltration, and privilege escalation across the Alteryx environment.

🟠

Likely Case

Unauthorized access to sensitive user data and API keys, potentially enabling further attacks within the Alteryx ecosystem.

🟢

If Mitigated

Limited impact with proper access controls and monitoring, though sensitive data exposure remains possible.

🌐 Internet-Facing: HIGH
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires authenticated access but is straightforward once authenticated.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: 2024.2 or later

Vendor Advisory: https://help.alteryx.com/current/en/server/api-overview.html

Restart Required: Yes

Instructions:

1. Upgrade to Alteryx Server 2024.2 or later. 2. Restart the Alteryx Server service. 3. Verify the fix by testing API authorization checks.

🔧 Temporary Workarounds

API Access Restriction

all

Restrict API access to trusted IP addresses only using network controls.

Enhanced Monitoring

all

Implement detailed logging and monitoring of API requests for suspicious object ID patterns.

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate Alteryx Server from untrusted networks.
  • Deploy a web application firewall (WAF) with IDOR detection rules to block exploitation attempts.

🔍 How to Verify

Check if Vulnerable:

Test API endpoints with manipulated MongoDB object IDs while authenticated as a non-admin user to see if unauthorized data is returned.

Check Version:

Check Alteryx Server version in the administration console or via the API.

Verify Fix Applied:

After patching, repeat the same test to confirm unauthorized access is now properly blocked.

📡 Detection & Monitoring

Log Indicators:

  • Unusual patterns of API requests with sequential or manipulated object IDs
  • Access to API keys from non-admin users

Network Indicators:

  • Multiple failed authorization attempts followed by successful data retrieval
  • Unusual API request patterns from single users

SIEM Query:

source="alteryx_server" AND (event_type="api_request" AND object_id_pattern="*[0-9a-f]{24}*") | stats count by user, object_id

📊 Metadata

CVE ID: CVE-2025-63291
CVSS v3 Score: 5.4 (MEDIUM)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
CWE: CWE-639
EPSS Score: 0.04% exploit probability (11.3th percentile)
Published: November 14, 2025
Last Updated: January 12, 2026

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-63291, you might also want to check these:

CVE-2025-40805 10.0

This critical vulnerability allows unauthenticated remote attackers to bypass authentication on spec...

Same vulnerability type (CWE-639)
CVE-2024-45032 10.0

This critical vulnerability allows unauthenticated remote attackers to impersonate legitimate device...

Same vulnerability type (CWE-639)
CVE-2025-0987 9.9

CVE-2025-0987 is an authorization bypass vulnerability in CB Project Ltd. Co. CVLand software that a...

Same vulnerability type (CWE-639)