cbcvebase.
CVE-2025-47411
published 2026-01-01

CVE-2025-47411: A user with a legitimate non-administrator account can exploit a vulnerability in the user ID creation mechanism in Apache StreamPipes that allows them to swap…

PriorityP264high8.1CVSS 3.1
AVNACLPRLUINSUCHIHAN
EPSS
14.79%
96.3th percentile
A user with a legitimate non-administrator account can exploit a vulnerability in the user ID creation mechanism in Apache StreamPipes that allows them to swap the username of an existing user with that of an administrator. This vulnerability allows an attacker to gain administrative control over the application by manipulating JWT tokens, which can lead to data tampering, unauthorized access and other security issues. This issue affects Apache StreamPipes: through 0.97.0. Users are recommended to upgrade to version 0.98.0, which fixes the issue.

Affected

2 ranges
VendorProductVersion rangeFixed in
apachestreampipes>= 0.69.0 < 0.98.00.98.0
apache_software_foundationapache_streampipes0.69.0 – 0.97.0

Detection & IOCsextracted from sources · hover to see the quote

  • Look for JWT token manipulation attempts where a non-admin user's token contains or references an administrator's username/user ID, indicating exploitation of the user ID creation mechanism in Apache StreamPipes.
  • Monitor Apache StreamPipes instances running version 0.97.0 or earlier for privilege escalation activity, specifically non-admin accounts performing admin-level actions.
  • Alert on user ID creation or registration requests in Apache StreamPipes where the submitted username matches an existing administrator account, as this is the core mechanism of the swap attack.
  • ·The vulnerability exists in the Maven package org.apache.streampipes:streampipes-parent. Only versions through 0.97.0 are affected; version 0.98.0 contains the fix.
  • ·No public exploit code is currently available for this CVE, limiting immediate weaponization risk, but the attack vector requires only a legitimate non-administrator account.
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.