Skip to main content
Mallory
Back to vulnerabilities
MediumCISA KEVExploited in the wildPublic exploit

Path Traversal Authentication Bypass in Qlik Sense Enterprise for Windows

IdentifiersCVE-2023-41266CWE-22· Improper Limitation of a Pathname…

CVE-2023-41266 is a path traversal vulnerability in Qlik Sense Enterprise for Windows. According to the provided content, the Qlik proxy permits unauthenticated access to request paths beginning with /resources/qmc/fonts/ and ending in .ttf. Because the proxy does not properly normalize the request path before applying this allowlist logic, an attacker can use traversal sequences such as ../../../ to escape the intended font directory and reach internal REST endpoints. This flaw allows an unauthenticated remote attacker to generate an anonymous session and send HTTP requests to endpoints that should require authentication. Praetorian’s analysis indicates the issue can be used as an authentication bypass on its own and can also be chained with CVE-2023-41265 to reach unauthenticated remote code execution against Qlik Sense Enterprise for Windows.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows an unauthenticated attacker to bypass normal authentication controls and access internal Qlik Sense endpoints that are not intended to be reachable anonymously. On its own, this provides unauthorized access to internal application functionality and can expose sensitive application behavior or administrative APIs. In the attack chain described in the provided content, CVE-2023-41266 serves as the authentication-bypass component that, when combined with CVE-2023-41265, enables creation of external program tasks and ultimately unauthenticated remote code execution, which has been associated with real-world intrusions and Cactus ransomware activity.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure by removing direct internet access to Qlik Sense Enterprise for Windows, especially the proxy interface. Restrict access to trusted networks or place the service behind a hardened access control layer. Monitor Qlik proxy audit logs for traversal attempts involving /resources/qmc/fonts/ and suspicious extensions such as .ttf, .woff, .otf, or .eot. Investigate unexpected files such as qle.ttf or qle.woff under Qlik font paths, as these were cited as indicators of compromise. Because this flaw has been chained with other Qlik vulnerabilities for code execution, defenders should also review Scheduler.exe child processes and other signs of post-exploitation.

Remediation

Patch, then assume compromise.

Apply Qlik’s fixed releases for Qlik Sense Enterprise for Windows. The provided content states this issue is fixed in August 2023 IR, May 2023 Patch 4, February 2023 Patch 8, November 2022 Patch 11, and August 2022 Patch 13. Additional content indicates later cumulative fixes were also released in subsequent supported branches. Organizations should upgrade to the vendor-provided patched version for their release branch or a newer supported release. End-of-support versions should be replaced with supported, patched versions.
PUBLIC EXPLOITS

Exploits

No valid public exploits. Mallory filtered out 1 candidate as fakes, detection scripts, or README-only repos.

VALID 0 / 1 TOTALView more in app

All candidate exploits were filtered out by Mallory's validation.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
QlikQlik Senseapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

6 SOURCESView more in app
halcyon attacks newsNews
Aug 4, 2025
Power Rankings: Ransomware Malicious Quartile Q2-2025

A vulnerability in Qlik Sense exploited by Cactus ransomware for initial access.

Read more
ncc group researchNews
Apr 25, 2024
Sifting through the spines: identifying (potential) Cactus ransomware victims

A specific Qlik Sense vulnerability cited as being exploited by the Cactus ransomware group for initial access.

Read more
kyberturvallisuuskeskus alertsNews
Nov 30, 2023
Kriittinen haavoittuvuus Qlik Sense -tuotteessa | Traficom

A specific vulnerability affecting Qlik Sense Enterprise for Windows referenced in a vendor advisory and linked to reporting about exploitation.

Read more
kyberturvallisuuskeskus alertsNews
Nov 30, 2023
Kriittinen haavoittuvuus Qlik Sense -tuotteessa | Traficom

A specific vulnerability affecting Qlik Sense Enterprise for Windows that is referenced in vendor advisories and linked to reporting on exploitation.

Read more
+2 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence1

Every observed campaign linking this CVE to a named adversary.

Associated malware6

Malware families riding this exploit, with evidence and IOCs.

Detection signatures1

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2023-41266
NVD
nvd.nist.gov/vuln/detail/CVE-2023-41266
MITRE CWE · CWE-22
Improper Limitation of a Pathname to a…
Vendor Advisory
community.qlik.com/t5/Official-Support-Articles/Critical-Security-fixes-for-Qlik-Sense-Enterprise-for-Windows/ta-p/2110801
Release Notes
community.qlik.com/t5/Release-Notes/tkb-p/ReleaseNotes
US Government Resource
cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-41266