CVE-2025-3646
Published: 04 January 2026
Summary
CVE-2025-3646 is a medium-severity Missing Authentication for Critical Function (CWE-306) vulnerability in Petlibro Petlibro. Its CVSS base score is 6.9 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 9.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-24 (Access Control Decisions) and AC-3 (Access Enforcement).
Deeper analysis
CVE-2025-3646 is an authorization bypass vulnerability in the Petlibro Smart Pet Feeder Platform versions up to 1.7.31. The flaw arises from missing permission checks in the device share API, allowing unauthorized users to add other users as shared owners to any device. This issue, mapped to CWE-306 (Missing Authentication for Critical Function), carries a CVSS v3.1 base score of 7.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L) and was published on 2026-01-04.
Any unauthenticated attacker with network access can exploit this vulnerability by sending requests directly to the device share API, bypassing authorization validation. Successful exploitation enables attackers to gain unauthorized access to targeted devices, add themselves or others as shared owners, and view owner information, potentially compromising pet feeder controls and associated user data.
Advisories detailing the vulnerability and mitigation recommendations are available at https://bobdahacker.com/blog/petlibro and https://www.vulncheck.com/advisories/petlibro-smart-pet-feeder-platform-through-authorization-bypass-via-device-share-api.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-0788
Vulnerability details
Petlibro Smart Pet Feeder Platform versions up to 1.7.31 contains an authorization bypass vulnerability that allows unauthorized users to add users as shared owners to any device by exploiting missing permission checks. Attackers can send requests to the device share…
more
API to gain unauthorized access to devices and view owner information without proper authorization validation.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Authorization bypass in public device share API directly enables exploitation of public-facing application for unauthorized access and account manipulation on the platform.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly enforces authorization checks on the device share API so that only permitted users can add shared owners.
Requires the system to make and enforce explicit access-control decisions before allowing any share operation on a device.
Limits privileges so that even authenticated users cannot perform device-owner changes without explicit assignment of the required permission.