What is Qlik Sense?
Qlik Sense Enterprise is a widely-deployed business intelligence (BI) and data analytics platform used by thousands of organizations globally to create dashboards, visualizations, and reports from enterprise data sources. Qlik Sense Enterprise for Windows runs as a server-side application typically exposed to internal networks — and sometimes directly to the internet — to enable browser-based access by business users. Because Qlik Sense has broad access to enterprise data (connecting to databases, data warehouses, and cloud sources), compromising it gives attackers access to sensitive business data and a foothold within the enterprise network.
Overview
CVE-2023-41266 is a path traversal vulnerability in Qlik Sense Enterprise for Windows that allows an unauthenticated attacker to create an anonymous user session by sending maliciously crafted HTTP requests, enabling further unauthorized requests to internal endpoints. It is typically exploited in combination with CVE-2023-41265 (HTTP Request Tunneling / privilege escalation). This vulnerability chain was actively exploited by the Cactus ransomware group starting in late October/early November 2023, shortly after the patch was publicly available for reverse engineering.
Affected Versions
| Product | Vulnerable Patch Level | Fixed In |
|---|---|---|
| Qlik Sense Enterprise for Windows | Patches prior to August 2023 | August 2023 Patch (IR-2023-28) |
Qlik Sense uses a monthly patch model; affected organizations running any Sense version without the August 2023 patch applied are vulnerable.
Technical Details
The vulnerability is a path traversal (CWE-22) in Qlik Sense's HTTP request routing layer. By inserting path traversal sequences (e.g., /../) into the request URL, an attacker can route HTTP requests to endpoints that are normally restricted to authenticated sessions. The traversal bypasses Qlik's URL-based access controls and causes the server to treat the request as if it originated from an anonymous authenticated session rather than an external unauthenticated request.
With an anonymous session established via CVE-2023-41266, the attacker then leverages CVE-2023-41265 (HTTP Request Tunneling) to send tunneled HTTP requests that impersonate an elevated-privilege user, ultimately enabling execution of arbitrary commands on the underlying Windows server with SYSTEM or administrator-level privileges.
In the Cactus ransomware campaigns, this chain was used to deploy a remote access tool, establish persistence, move laterally through the victim's environment, exfiltrate data, and ultimately encrypt files and demand ransom.
Discovery
The vulnerabilities were discovered by security researchers and disclosed to Qlik in August 2023. Cactus ransomware operators began exploiting the chain approximately two months after the patch was published — a typical timeline for ransomware groups who reverse-engineer vendor patches to identify exploitable differences.
Exploitation Context
Arctic Wolf Networks documented Cactus ransomware group exploitation beginning in late October/early November 2023. Victims included organizations across multiple industry sectors that had not applied Qlik's August 2023 patches. The ransomware operators used the Qlik Sense vulnerability as the initial access vector, followed by deployment of Cobalt Strike or other post-exploitation frameworks, credential harvesting, and data exfiltration before encrypting systems.
CISA added CVE-2023-41266 (and CVE-2023-41265) to the KEV catalog on December 7, 2023, confirming the active ransomware exploitation.
Remediation
- Apply Qlik's August 2023 patch immediately — consult the Qlik security advisory (ta-p/2110801) for the specific patch package for your Qlik Sense Enterprise version.
- Restrict network access to Qlik Sense — if Qlik Sense is internet-exposed, place it behind a VPN or restrict access to known IP ranges; business intelligence platforms should not be directly accessible from the internet.
- Check for signs of compromise — look for unusual process executions spawned by the Qlik Sense service account, new scheduled tasks, new local accounts, or unexpected outbound connections.
- Review Qlik Sense access logs for malformed or path-traversal-containing HTTP requests, especially from external IP addresses.
- Audit connected data sources — if Qlik Sense has been compromised, assume that credentials for all connected databases and cloud services are also compromised; rotate them immediately.
- Isolate the Qlik Sense server if compromise is suspected — disconnect it from production data sources while the incident is investigated.
Key Details
| Property | Value |
|---|---|
| CVE ID | CVE-2023-41266 |
| Vendor / Product | Qlik — Sense |
| NVD Published | 2023-08-29 |
| NVD Last Modified | 2025-10-31 |
| CVSS 3.1 Score | 8.2 |
| CVSS 3.1 Vector | CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N |
| Severity | HIGH |
| CWE | CWE-22 find similar ↗ |
| CISA KEV Added | 2023-12-07 |
| CISA KEV Deadline | 2023-12-28 |
| Known Ransomware Use | ⚠️ Yes |
CVSS 3.1 Breakdown
Required Action
Timeline
| Date | Event |
|---|---|
| 2023-08-29 | Qlik publishes advisory and patches for CVE-2023-41266 and companion CVE-2023-41265 |
| 2023-11-01 | Arctic Wolf reports Cactus ransomware group actively exploiting the Qlik Sense vulnerability chain |
| 2023-12-07 | Added to CISA Known Exploited Vulnerabilities catalog |
| 2023-12-28 | CISA BOD 22-01 remediation deadline |
References
| Resource | Type |
|---|---|
| Qlik Security Advisory: Critical Security Fixes for Qlik Sense Enterprise for Windows | Vendor Advisory |
| Arctic Wolf: Cactus Ransomware Exploiting Qlik Sense Vulnerabilities | Security Research |
| NVD — CVE-2023-41266 | Vulnerability Database |
| CISA KEV Catalog Entry | US Government |