[ixpmanager] [RELEASE] V7.3.0 - Security Updates (severity: high) , App Passwords feature, API keys modernisation, bug fixes
Barry O'Donovan (INEX)
barry.odonovan at inex.ie
Tue Jun 30 19:33:47 IST 2026
INEX is pleased to announce the immediate availability of IXP Manager
v7.3.0. This is primarily a security release following a responsible
disclosure and subsequent internal hardening. Both issues have a high
severity. This release also includes some bug fixes, improvements, and
new features.
⚠️ All IXP Manager users should upgrade to v7.3.0.
Our Continuing Security Commitment & EU CRA Alignment
As IXP Manager powers critical internet infrastructure globally,
security is core to our processes, and this is the fourth successive
release primarily focused on security. We have also used third-party
reporting as a catalyst to perform proactive internal audits of our
codebase, leading to the discovery and immediate mitigation of
additional vulnerabilities.
Also, with the European Union’s Cyber Resilience Act mandatory reporting
requirements taking effect this September, INEX is cognisant of our
legal role as an Open-Source Software Steward. To meet these
obligations, we have reviewed and updated our Security Policy
<https://github.com/inex/IXP-Manager/security/policy>.
Security Advisory: Vulnerabilities Resolved in v7.3.0
Impact: High (Privilege Escalation & Unauthorised Access)
Privilege Escalation (CVE pending) (Severity: 8.8/10) - a confirmed
vulnerability allows an authenticated, non-administrative user to
elevate their privileges to administrator status. This was responsibly
disclosed.
Broken Object-Level Authorisation (CVE pending) (Severity: 8.3/10) -
following the initial report of (1) above, our development team
conducted a proactive internal audit. During this review, we identified
and corrected an issue in which an authenticated user could view and
edit a resource belonging to another user without authorisation.
Remediation: Both issues are addressed in this v7.3.0 release. Please
upgrade to v7.3.0 as soon as possible.
Kind regards,
Barry O'Donovan
INEX
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://www.inex.ie/pipermail/ixpmanager/attachments/20260630/847936b0/attachment.htm>
More information about the ixpmanager
mailing list