Download our Latest Industry Report – Continuous Offensive Security Outlook 2026

Download Report
Back to Vulnerability List

Qlik: ZeroQlik: Unauthenticated RCE in Qlik Sense via HTTP Request Tunneling

CVE-2023-41265 Critical Published
CVSS
9.6 Critical · Network · Low PR
EPSS
0.92414 92.4% chance of exploit in 30d
CWE
CWE-444 Inconsistent Interpretation of HTTP Requests (HTTP Request/Response Smuggling)
Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

Summary

Per Qlik advisory 2110801: “CVE-2023-41265 (QB-21222) HTTP Tunneling vulnerability in Qlik Sense Enterprise for Windows.” Per NVD: “Due to improper validation of HTTP headers, a remote attacker is able to elevate their privilege by tunneling HTTP requests, allowing them to send requests that get executed by the backend server” — specifically the repository application.

Affected Packages / Versions

  • Package: Qlik Sense Enterprise for Windows (—)
  • Latest published version at triage time: Same tracks as CVE-2023-41266
  • Affected range: Per Qlik advisory 2110801: "All versions of Qlik Sense Enterprise for Windows prior to and including: May 2023 Patch 3, February 2023 Patch 7, November 2022 Patch 10, August 2022 Patch 12."
  • Patched version: Qlik Sense August 2023 Patch 1 and earlier-track equivalents. Note: Praetorian's later research (CVE-2023-48365 "DoubleQlik") demonstrated the original fix was bypassable; the August 2023 Patch 2 closes the bypass.

Impact

Per Praetorian’s blog: “these vulnerabilities provided an attacker the ability to perform administrative actions including remote code execution through the execution of external tasks and adding a new administrative user to the Qlik Sense Enterprise application.” Per Qlik: “Qlik has received reports that this vulnerability may be being used by malicious actors.” Listed in CISA’s Known Exploited Vulnerabilities Catalog.

Severity Rationale

NVD CVSS 9.6 (Critical): network AV, low complexity, low PR (lifted to none when chained with CVE-2023-41266), no UI, scope-changing, full confidentiality and integrity impact.

Fix

Per NVD, upgrade to Qlik Sense Enterprise August 2023 Patch 1 or the equivalent backport. Per Praetorian’s DoubleQlik follow-up (CVE-2023-48365), the original patch was bypassable; ensure the subsequent patch (August 2023 Patch 2) is also applied.

Disclosure timeline

  • TBDReported to vendor
  • Aug 29, 2023Patch released (Qlik advisory 2110801 created)
  • TBDPublic disclosure

Fix Commit(s)

    References

    Discovered by Adam Crosser and Thomas Hendrickson (Praetorian) — per Qlik's official advisory · Published April 29, 2026