8.8
CVE-2026-56767
- EPSS 0.33%
- Veröffentlicht 25.06.2026 18:03:33
- Zuletzt bearbeitet 25.06.2026 21:16:27
- Quelle disclosure@vulncheck.com
- CVE-Watchlists
- Unerledigt
Maxun < 0.0.42 - Cross-Tenant IDOR in Storage and Webhook API Handlers
Maxun before 0.0.42 contains a cross-tenant insecure direct object reference vulnerability in storage and webhook API handlers that allows authenticated users to access other users' robots and OAuth tokens. Attackers can read plaintext Google and Airtable access tokens, modify, delete, or execute other users' robots by bypassing ownership checks in API endpoints.
Daten sind bereitgestellt durch das CVE Programm von einer CVE Numbering Authority (CNA) (Unstrukturiert).
Herstellergetmaxun
≫
Produkt
maxun
Default Statusunaffected
Version
0
Version <
0.0.42
Status
affected
Version
0.0.42
Status
unaffected
VulnDex Vulnerability Enrichment
Diese Information steht angemeldeten Benutzern zur Verfügung. 
Login
Login| Typ | Quelle | Score | Percentile |
|---|---|---|---|
| EPSS | FIRST.org | 0.33% | 0.248 |
| Quelle | Base Score | Exploit Score | Impact Score | Vector String |
|---|---|---|---|---|
| disclosure@vulncheck.com | 8.7 | 0 | 0 |
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
|
| disclosure@vulncheck.com | 8.8 | 2.8 | 5.9 |
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
|
CWE-862 Missing Authorization
The product does not perform an authorization check when an actor attempts to access a resource or perform an action.
https://github.com/getmaxun/maxun/issues/1079
https://github.com/getmaxun/maxun/pull/1088
https://github.com/getmaxun/maxun/commit/11db0257531f1c23dec94727793c9444ee2873cf
https://www.vulncheck.com/advisories/maxun-cross-tenant-idor-in-storage-and-webhook-api-handlers