CVE-2024-32470

Tolgee is an open-source localization platform. When API key created by admin user is used it bypasses the permission check at all. This error was introduced in v3.57.2 and immediately fixed in v3.57.4.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.2 / Impact : 5.2

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required HIGH

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact HIGH

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://github.com/tolgee/tolgee-platform/commit/a0d861028d931f8a54387770eaf3a75031b81234	Patch
https://github.com/tolgee/tolgee-platform/security/advisories/GHSA-pm57-hcm8-38gw	Vendor Advisory
https://github.com/tolgee/tolgee-platform/security/advisories/GHSA-r95p-fqqv-fppc	Not Applicable
https://github.com/tolgee/tolgee-platform/commit/a0d861028d931f8a54387770eaf3a75031b81234	Patch
https://github.com/tolgee/tolgee-platform/security/advisories/GHSA-pm57-hcm8-38gw	Vendor Advisory
https://github.com/tolgee/tolgee-platform/security/advisories/GHSA-r95p-fqqv-fppc	Not Applicable

Configurations

Configuration 1 (hide)

cpe:2.3:a:tolgee:tolgee:*:*:*:*:*:*:*:*

History

11 Sep 2025, 21:29

Type	Values Removed	Values Added
References	~~() https://github.com/tolgee/tolgee-platform/commit/a0d861028d931f8a54387770eaf3a75031b81234 -~~	() https://github.com/tolgee/tolgee-platform/commit/a0d861028d931f8a54387770eaf3a75031b81234 - Patch
References	~~() https://github.com/tolgee/tolgee-platform/security/advisories/GHSA-pm57-hcm8-38gw -~~	() https://github.com/tolgee/tolgee-platform/security/advisories/GHSA-pm57-hcm8-38gw - Vendor Advisory
References	~~() https://github.com/tolgee/tolgee-platform/security/advisories/GHSA-r95p-fqqv-fppc -~~	() https://github.com/tolgee/tolgee-platform/security/advisories/GHSA-r95p-fqqv-fppc - Not Applicable
First Time		Tolgee Tolgee tolgee
CPE		cpe:2.3:a:tolgee:tolgee::::::::

Information

Published : 2024-04-18 15:15

Updated : 2025-09-11 21:29

NVD link : CVE-2024-32470

Mitre link : CVE-2024-32470

CVE.ORG link : CVE-2024-32470

JSON object : View

Products Affected

tolgee

tolgee

CWE

CWE-863

Incorrect Authorization

{"id": "CVE-2024-32470", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Secondary", "source": "security-advisories@github.com", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}, "impactScore": 5.2, "exploitabilityScore": 1.2}]}, "published": "2024-04-18T15:15:30.487", "references": [{"url": "https://github.com/tolgee/tolgee-platform/commit/a0d861028d931f8a54387770eaf3a75031b81234", "tags": ["Patch"], "source": "security-advisories@github.com"}, {"url": "https://github.com/tolgee/tolgee-platform/security/advisories/GHSA-pm57-hcm8-38gw", "tags": ["Vendor Advisory"], "source": "security-advisories@github.com"}, {"url": "https://github.com/tolgee/tolgee-platform/security/advisories/GHSA-r95p-fqqv-fppc", "tags": ["Not Applicable"], "source": "security-advisories@github.com"}, {"url": "https://github.com/tolgee/tolgee-platform/commit/a0d861028d931f8a54387770eaf3a75031b81234", "tags": ["Patch"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/tolgee/tolgee-platform/security/advisories/GHSA-pm57-hcm8-38gw", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://github.com/tolgee/tolgee-platform/security/advisories/GHSA-r95p-fqqv-fppc", "tags": ["Not Applicable"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Analyzed", "weaknesses": [{"type": "Secondary", "source": "security-advisories@github.com", "description": [{"lang": "en", "value": "CWE-863"}]}], "descriptions": [{"lang": "en", "value": "Tolgee is an open-source localization platform. When API key created by admin user is used it bypasses the permission check at all. This error was introduced in v3.57.2 and immediately fixed in v3.57.4. "}, {"lang": "es", "value": "Tolgee es una plataforma de localizaci\u00f3n de c\u00f3digo abierto. Cuando se utiliza la clave API creada por el usuario administrador, se omite la verificaci\u00f3n de permisos. Este error se introdujo en la versi\u00f3n 3.57.2 y se solucion\u00f3 inmediatamente en la versi\u00f3n 3.57.4."}], "lastModified": "2025-09-11T21:29:07.560", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:tolgee:tolgee:*:*:*:*:*:*:*:*", "vulnerable": true, "matchCriteriaId": "602B6B76-7EE6-4C3F-9A62-03A27DB0A2B4", "versionEndExcluding": "3.57.4", "versionStartIncluding": "3.57.2"}], "operator": "OR"}]}], "sourceIdentifier": "security-advisories@github.com"}