CVE ID: CVE-2025-61117
Vulnerability type: Incorrect Access Control
Product: Senza: Keto & Fasting (Android App)
**Package Name: **com.gl.senza
Version: 2.10.15
Vendor: Paul Itoi
<aside> 💡
NOTE: We reported this issue via email on 2025-09-05. After more than 45 days without any response or remediation from the vendor, we are publishing this report on 2025-10-20 out of concern for transparency and user security. We remain open to cooperating with the vendor should they choose to respond in the future.
</aside>
By accessing /api/v2/users/{userid}/user_data, an attacker can obtain any user’s authentication_token, thereby enabling account takeover.