CVE-2026-11369 | THREATINT

Description

The Comment API (GET /api/Comment and POST /api/Comment) in the affected application fails to perform authorization checks to verify that the requesting user has access to the object identified by the relatedObjectId. This Insecure Direct Object Reference (IDOR) vulnerability allows any authenticated user to read and write comments on any process across all business units by supplying an arbitrary object GUID.

PUBLISHED Reserved 2026-06-05 | Published 2026-06-05 | Updated 2026-06-05 | Assigner linqi

HIGH: 7.1CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-639: Authorization Bypass Through User-Controlled Key

Product status

Default status

unaffected

Any version

affected

References

linqi.help/en/reference/security/security-advisories/ vendor-advisory

cve.org (CVE-2026-11369)

nvd.nist.gov (CVE-2026-11369)

Download JSON