7.1
CVE-2026-11369
- EPSS 0.21%
- Veröffentlicht 05.06.2026 12:37:46
- Zuletzt bearbeitet 05.06.2026 16:07:31
- Quelle 86c47df7-7d28-48da-920a-6423c5
- CVE-Watchlists
- Unerledigt
IDOR in Comment API Allows Cross-Process Comment Read and Write
The Comment API (GET /api/Comment and POST /api/Comment) in the affected application fails to perform authorization checks to verify that the requesting user has access to the object identified by the relatedObjectId. This Insecure Direct Object Reference (IDOR) vulnerability allows any authenticated user to read and write comments on any process across all business units by supplying an arbitrary object GUID.
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
Herstellerlinqi GmbH
≫
Produkt
linqi
Default Statusunaffected
Version <=
1.4.8.5
Version
0
Status
affected
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. 
Login
Login| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.21% | 0.107 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| 86c47df7-7d28-48da-920a-6423c52fd3da | 7.1 | 0 | 0 |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
|
CWE-639 Authorization Bypass Through User-Controlled Key
The system's authorization functionality does not prevent one user from gaining access to another user's data or record by modifying the key value identifying the data.
https://linqi.help/en/reference/security/security-advisories/#security-advisory-insecure-direct-object-reference-idor-in-comment-api-in-linqi