Cyber Resilience

CVE-2023-41266

HighCISA KEVActive ExploitationEUVD ExploitedRansomware-linked

Published: 29 August 2023

Published
29 August 2023
Modified
31 October 2025
KEV Added
07 December 2023
Patch
CVSS Score v3.1 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
EPSS Score 0.9422 99.9th percentile
Risk Priority 93 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-41266 is a high-severity Path Traversal (CWE-22) vulnerability in Qlik Qlik Sense. Its CVSS base score is 8.2 (High).

Operationally, ranked in the top 0.1% of CVEs by exploit likelihood; CISA has added it to the Known Exploited Vulnerabilities catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-2 (Flaw Remediation).

Deeper analysis

A path traversal vulnerability exists in Qlik Sense Enterprise for Windows in versions May 2023 Patch 3 and earlier, February 2023 Patch 7 and earlier, November 2022 Patch 10 and earlier, and August 2022 Patch 12 and earlier. The flaw, tracked as CWE-22, permits an unauthenticated remote attacker to generate an anonymous session and issue HTTP requests against otherwise unauthorized endpoints, carrying a CVSS 3.1 score of 8.2.

An unauthenticated attacker can exploit the issue over the network without user interaction to obtain a session token and reach internal resources that should be restricted, resulting in high confidentiality impact and limited integrity exposure.

Vendor advisories from Qlik direct customers to apply the fixes released in August 2023 IR, May 2023 Patch 4, February 2023 Patch 8, November 2022 Patch 11, and August 2022 Patch 13; the same updates are referenced in the associated release notes.

The vulnerability appears in the CISA Known Exploited Vulnerabilities catalog, and its EPSS score has reached a peak of 0.9429 with a current value of 0.9422, indicating sustained exploitation interest following disclosure.

EU & UK References

Vulnerability details

A path traversal vulnerability found in Qlik Sense Enterprise for Windows for versions May 2023 Patch 3 and earlier, February 2023 Patch 7 and earlier, November 2022 Patch 10 and earlier, and August 2022 Patch 12 and earlier allows an…

more

unauthenticated remote attacker to generate an anonymous session. This allows them to transmit HTTP requests to unauthorized endpoints. This is fixed in August 2023 IR, May 2023 Patch 4, February 2023 Patch 8, November 2022 Patch 11, and August 2022 Patch 13.

CWE(s)
KEV Date Added
07 December 2023

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

qlik
qlik sense
august_2022, february_2023, may_2023, november_2022

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires timely installation of vendor patches that close the path-traversal flaw allowing anonymous session creation.

prevent

Enforces approved authorizations on HTTP endpoints so that an attacker cannot reach restricted resources even after obtaining an anonymous session via path traversal.

prevent

Requires validation of user-supplied input (file paths) to block the path-traversal sequences that produce unauthorized anonymous sessions.

References