CRITICAL🇵🇱 Wersja polska

CVE-2025-62645

CVSS 9.9v3.1pub. 2025-10-17upd. 2025-11-04

The Restaurant Brands International (RBI) assistant platform through 2025-09-06 allows a remote authenticated attacker to obtain a token with administrative privileges for the entire platform via the createToken GraphQL mutation.

🤖 AI Analysis
How it works

An attacker with an account (even with low privileges) can invoke a GraphQL mutation named 'createToken', which incorrectly processes the request and returns a token with administrative privileges at the platform level. The authorization mechanism does not properly verify the permission level of the user sending this request. As a result, a regular user can obtain a token that provides administrative access to all platform resources.

Impact

An attacker can gain full administrative control over the entire RBI Assistant platform, which provides access to data and configuration of all brands within the group (including Burger King, Tim Hortons, Popeyes). It is possible to read, modify or delete data and further compromise the confidentiality, integrity and availability of the system.

Mitigation & patch

Patches available from the manufacturer should be applied in accordance with references. Additionally, it is recommended to audit logs for unauthorized calls to the 'createToken' mutation in GraphQL and immediately revoke tokens issued before the fix was implemented.

Who is affected

Restaurant Brands International (RBI) Assistant platform in versions published through 2025-09-06 inclusive.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
  • Rbi Restaurant Brands International Assistant

    APP
    Rbi
    ≤ 2025-09-06
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2025-62650HIGH8.3ten sam produkt

The Restaurant Brands International (RBI) assistant platform through 2025-09-06 relies on client-side authenti...

CVE-2025-62644MEDIUM5.0ten sam produkt

The Restaurant Brands International (RBI) assistant platform through 2025-09-06 has a Global Store Directory t...

CVE-2025-62646MEDIUM5.0ten sam produkt

The Restaurant Brands International (RBI) assistant platform through 2025-09-06 allows remote attackers to rev...

CVE-2025-62647MEDIUM5.0ten sam produkt

The Restaurant Brands International (RBI) assistant platform through 2025-09-06 provides the functionality of ...

CVE-2025-62648MEDIUM6.4ten sam produkt

The Restaurant Brands International (RBI) assistant platform through 2025-09-06 allows remote attackers to adj...