/

**external-disclosures** Public

# RBAC Privilege Escalation via Opto22 Groov View API

## Package

Opto22 Groov EPICS

## Affected versions

All versions prior to 4.0.3

## Patched versions

4.0.3

## Description

### Impact

The View Users API endpoint returns a list of all users and associated metadata- including the web API tokens. This endpoint requires an Editor role to access and will display API keys for all users, including system-wide admins.

### Vulnerability Description

A RBAC privilege escalation issue was found allowing a malicious user with the Editor role to escalate to admin level access by leaking targeted web API tokens.

### Identification and Remediation

This issue was identified during a Red Team X assessment and is disclosed in ​​CVE-2025-13084. This issue has since been resolved and a fix has been made available for customers.