CVE-2026-3321 | THREATINT

Description

A vulnerability of authorization bypass through user-controlled key in the 'console-survey/api/v1/answer/{EVENTID}/{TIMESTAMP}/' endpoint. Exploiting this vulnerability would allow an unauthenticated attacker to enumerate event IDs and obtain the complete Q&A history. This publicly exposed data may include IDs, private URLs, private messages, internal references, or other sensitive information that should only be exposed to authenticated users. In addition, the leaked content could be exploited to facilitate other malicious activities, such as reconnaissance for lateral movement, exploitation of related systems, or unauthorised access to internal applications referenced in the content of chat messages.

PUBLISHED Reserved 2026-02-27 | Published 2026-03-30 | Updated 2026-03-30 | Assigner INCIBE

HIGH: 8.7CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:L/SI:N/SA:N

Problem types

CWE-639 Authorization bypass through User-Controlled key

Product status

Default status

affected

Any version

affected

Credits

Samuel de Lucas Maroto finder

References

www.incibe.es/...ces/aviso/authorization-bypass-on24-qa-chat

cve.org (CVE-2026-3321)

nvd.nist.gov (CVE-2026-3321)

Download JSON