Basic Information

CVE ID: CVE-2025-61119

Vulnerability type: Incorrect Access Control

Product: Kanova (Android App)

**Package Name: **com.karelane

Version: 1.0.27

Vendor: Karely L.L.C.

<aside> 💡

NOTE: We reported this issue via email on 2025-09-05. After more than 45 days without any response or remediation from the vendor, we are publishing this report on 2025-10-20 out of concern for transparency and user security. We remain open to cooperating with the vendor should they choose to respond in the future.

</aside>

Description

1. Under normal circumstances, a user cannot view other users’ information within the app. However, by calling the /api/users/{userid} endpoint, an attacker can gain unauthorized access to any user’s details such as name and email.

1. By using the /api/causes/causeMember/getMemberWithCauseId?cause_id={cause_id} endpoint, an attacker can obtain information such as members and entry codes of any group in the app by tampering with the cause_id.