CVE-2026-29204 | THREATINT

Description

Insufficient ownership check in `clientarea.php` allows an authenticated client area user to submit requests using another user’s `addonId` without any ownership validation leading to unauthorized access to the victim's account.

PUBLISHED Reserved 2026-03-04 | Published 2026-05-12 | Updated 2026-05-12 | Assigner hackerone

CRITICAL: 9.1CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

Problem types

CWE-639 Insecure Direct Object Reference (IDOR)

Product status

Default status

unaffected

7.4.0 (semver)

affected

18.13.0 (semver) before 18.13.3

affected

9.0.0 (semver) before 9.0.4

affected

References

help.whmcs.com/m/125386/l/2073908-cve-2026-29204

cve.org (CVE-2026-29204)

nvd.nist.gov (CVE-2026-29204)

Download JSON