Given a child tracker C with a "parent" tracker P (in the Trackers Hierarchy sense), when I do a GET /api/trackers/{id of C}, even if I do not have permission to access tracker P at all, I can see its name and color in the JSON response.

Impact

An attacker could see tracker names that are not supposed to be revealed.
CVSSv3.1 score: 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)

References

CWE 863
CVE-2025-30155