Back to Vulnerability List

Qlik: DoubleQlik: Bypassing the Original Fix for CVE-2023-41265 to Re-Achieve Unauthenticated RCE

CVE-2023-48365 Critical Published

CVSS

9.6 Critical · Network · Low PR

EPSS

0.62004 62.0% chance of exploit in 30d

CWE

CWE-444 Inconsistent Interpretation of HTTP Requests (HTTP Request/Response Smuggling)

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N

Summary

Per Praetorian’s blog: “On August 29th, 2023, Qlik issued a patch for two vulnerabilities we identified in Qlik Sense Enterprise, CVE-2023-41265 and CVE-2023-41266. … As part of our standard operating procedure, we performed a diff of the issued patch to identify potential bypasses … we identified a bypass for the original fix for CVE-2023-41265 which allowed for unauthenticated remote code execution even after applying the patches for CVE-2023-41265 and CVE-2023-41266.” Per Qlik’s own advisory 2120510: “This resolves an incomplete fix for CVE-2023-41265.”

Affected Packages / Versions

Package: Qlik Sense Enterprise for Windows (—)
Latest published version at triage time: August 2023 Patch 1 (incomplete fix)
Affected range: Per Qlik advisory 2120510 (created Sep 20, 2023): all versions prior to and including August 2023 Patch 1, May 2023 Patch 5, February 2023 Patch 9, November 2022 Patch 11, August 2022 Patch 13, May 2022 Patch 15, February 2022 Patch 14, and November 2021 Patch 16.
Patched version: Per Qlik advisory: see article 2120510 for the patched-version-by-track list (Qlik issued a second patch after the original fix for CVE-2023-41265 was bypassed).

Impact

Per Praetorian’s blog: the bypass restores the original HTTP-request-tunneling primitive that CVE-2023-41265 documented — specifically by passing non-exact values for the “`Transfer-Encoding: chunked`” header that the original denylist-based filter does not match exactly but the backend still treats as semantically equivalent to chunked. NVD scores the bypass as “unauthenticated remote code execution.” Qlik’s advisory: “Qlik has received reports that this vulnerability may be being used by malicious actors.” Listed in CISA’s Known Exploited Vulnerabilities Catalog.

Severity Rationale

Per Qlik’s advisory 2120510: “Severity: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:N (9.6 Critical).” Matches NVD.

Fix

Per Praetorian’s blog: “Qlik has issued a second patch to address this workaround. The new patch implements a more robust filtering mechanism that is less prone to CL.TE and TE.CL request tunneling attacks. A new CVE, CVE-2023-48365, tracks this vulnerability.”

Disclosure timeline

TBDReported to vendor
Sep 20, 2023Qlik advisory 2120510 created (second patch)
TBDPublic disclosure

Fix Commit(s)

References

Discovered by Adam Crosser and Thomas Hendrickson (Praetorian) — per Qlik's official advisory · Published April 29, 2026

Praetorian Guard Platform

Penetration Testing Services

Advanced Offensive Security

Continuous Offensive Security

Customer Case Studies

Resources

Use Cases

About Praetorian

Join Praetorian