Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to vulnerabilities
MediumCISA KEVExploited in the wildPublic exploit

Path Traversal Authentication Bypass in Qlik Sense Enterprise for Windows

IdentifiersCVE-2023-41266CWE-22· Improper Limitation of a Pathname…

CVE-2023-41266 is a path traversal vulnerability in Qlik Sense Enterprise for Windows. According to the provided content, the Qlik proxy permits unauthenticated access to request paths that begin with /resources/qmc/fonts/ and end with a font-file extension such as .ttf. Because the proxy does not properly normalize the path before applying this allow rule, an attacker can use traversal sequences such as ../../../ to escape the intended fonts directory and reach internal REST endpoints. This results in an authentication bypass that allows an unauthenticated remote attacker to generate an anonymous session and send HTTP requests to otherwise unauthorized internal endpoints. The issue affects May 2023 Patch 3 and earlier, February 2023 Patch 7 and earlier, November 2022 Patch 10 and earlier, and August 2022 Patch 12 and earlier. The content also notes this flaw was used as part of exploit chains against internet-exposed Qlik Sense systems and can be combined with CVE-2023-41265 to achieve unauthenticated remote code execution.

Share:
For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial
ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows an unauthenticated remote attacker to bypass normal authentication controls on the Qlik proxy and access internal application endpoints that should not be reachable anonymously. On its own, this provides unauthorized access to internal REST functionality and anonymous session generation. In the broader attack chain described in the content, this access can be combined with CVE-2023-41265 to impersonate trusted internal identities and create external program tasks, ultimately leading to unauthenticated remote code execution on the Qlik Sense server. The content further references real-world exploitation by the Cactus ransomware group against publicly exposed Qlik Sense installations for initial access.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, reduce exposure by removing direct internet access to Qlik Sense services and restricting access through trusted network paths only. Monitor Qlik proxy audit logs for traversal attempts involving /resources/qmc/fonts/ and font extensions such as .ttf, .woff, .otf, or .eot. Review systems for indicators of compromise noted in the content, including unexpected files such as qle.ttf or qle.woff in Qlik font directories and suspicious child processes spawned by Scheduler.exe. These measures are compensating controls only and do not replace vendor patching.

Remediation

Patch, then assume compromise.

Apply the vendor-fixed releases for Qlik Sense Enterprise for Windows. The content states this issue is fixed in August 2023 IR, May 2023 Patch 4, February 2023 Patch 8, November 2022 Patch 11, and August 2022 Patch 13. Additional content indicates later cumulative security updates were also released for supported branches. End-of-support versions should be upgraded or replaced. Because this vulnerability has been exploited in the wild, patching should be prioritized for any internet-exposed Qlik Sense deployment.
PUBLIC EXPLOITS

Exploits

No valid public exploits. Mallory filtered out 1 candidate as fakes, detection scripts, or README-only repos.

VALID 0 / 1 TOTALView more in app

All candidate exploits were filtered out by Mallory's validation.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType
QlikQlik Senseapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

7 SOURCESView more in app
halcyon attacks newsNews
Aug 4, 2025
Power Rankings: Ransomware Malicious Quartile Q2-2025

A vulnerability in Qlik Sense exploited by Cactus ransomware for initial access.

Read more
ncc group researchNews
Apr 25, 2024
Sifting through the spines: identifying (potential) Cactus ransomware victims

A specific Qlik Sense vulnerability cited as being exploited by the Cactus ransomware group for initial access.

Read more
ncc group researchNews
Apr 25, 2024
Sifting through the spines: identifying (potential) Cactus ransomware victims | NCC Group

A specific Qlik Sense vulnerability cited as being exploited by the Cactus ransomware group for initial access.

Read more
kyberturvallisuuskeskus alertsNews
Nov 30, 2023
Kriittinen haavoittuvuus Qlik Sense -tuotteessa | Traficom

A specific vulnerability affecting Qlik Sense Enterprise for Windows referenced in a vendor advisory and linked to reporting about exploitation.

Read more
+3 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.
Start free trial
Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence2

Every observed campaign linking this CVE to a named adversary.

Associated malware7

Malware families riding this exploit, with evidence and IOCs.

Detection signatures1

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES
MITRE CVE
cve.org · CVE-2023-41266
NVD
nvd.nist.gov/vuln/detail/CVE-2023-41266
MITRE CWE · CWE-22
Improper Limitation of a Pathname to a…
Vendor Advisory
community.qlik.com/t5/Official-Support-Articles/Critical-Security-fixes-for-Qlik-Sense-Enterprise-for-Windows/ta-p/2110801
Release Notes
community.qlik.com/t5/Release-Notes/tkb-p/ReleaseNotes
US Government Resource
cisa.gov/known-exploited-vulnerabilities-catalog?field_cve=CVE-2023-41266