Alteryx Server IDOR Advisory Critical Information CVE: CVE-2025-63291 Credit to discoverer: Aleksa Zatezalo Disclosure Timeline Bug reported on July 12, 2024. Alteryx confirmed receipt within 24 hours. Patched in versions 2024.1+. Bug published in November 2025. Summary Authenticated users can bypass authorization checks and access other users' profile pages, including Private Studio API Keys and API Keys for administrative users, by manipulating MongoDB ObjectIDs ( and ). Affected Products and Versions Alteryx Server & Client 2022.1.0 - 2022.1.1.42654. Patched in versions 2024 and above. Technical Details The profile endpoint uses MongoDB ObjectID values. Substituting hex values with associated MongoDB object IDs can leak private profile information. Impact Obtain high-privileged users' API keys. Access private workflows. Perform administrative actions. Exfiltrate data via Alteryx Server API. Mitigation Update to Alteryx Client and Server 2024 or above. References PortSwigger MongoDB