CVE-2025-62487

Jan. 9, 2026, 10:16 p.m.

3.5
Low

Description

### Details On October 1, 2025, Palantir discovered that images uploaded through the Dossier front-end app were not being marked correctly with the proper security levels. The regression was traced back to a change in May 2025, which was meant to allow file uploads to be shared among different artifacts (e.g. other dossiers and presentations). On deployments configured with CBAC, the front-end would present a security picker dialog to set the security level on the uploads, thereby mitigating the issue. On deployments without a CBAC configuration, no security picker dialog appears, leading to a security level of CUSTOM with no markings or datasets selected. The resulting markings and groups for the file uploads thus will be only those added by the “Default authorization rules” defined in the Auth Chooser configuration. On most environments, it is expected that the “Default authorization rules" only add the Everyone group.

Product(s) Impacted

Vendor Product Versions
Palantir
  • Dossier
  • *

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-863
Incorrect Authorization
The product performs an authorization check when an actor attempts to access a resource or perform an action, but it does not correctly perform the check. This allows attackers to bypass intended access restrictions.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a palantir dossier / / / / / / / /

References

https://palantir.safebase.us/?tcuUid=c91a1b4f-72e7-4959-9e2d-3a341e5c7a1f

Tags

CWE-863
cve-coordination@palantir.com
2026-01-09
CVE-2025-62487

CVSS Score

3.5 / 10

CVSS Data - 3.1

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Privileges Required: LOW
  • Scope: UNCHANGED
  • Confidentiality Impact: LOW
  • Integrity Impact: NONE
  • Availability Impact: NONE

    • CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N

    View Vector String

Timeline

Published: Jan. 9, 2026, 10:16 p.m.
Last Modified: Jan. 9, 2026, 10:16 p.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

cve-coordination@palantir.com

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.