CVE-2026-40127 | THREATINT

Description

OutSystems Lifetime is vulnerable to Authorization Bypass Through User-Controlled Key vulnerability in ApplicationID parameter. Any authenticated user, can read the Change Log containing actions performed by other users as well as application name of any application. This issue was fixed in OutSystems Lifetime version 11.28.2.3955

PUBLISHED Reserved 2026-04-09 | Published 2026-05-25 | Updated 2026-05-26 | Assigner CERT-PL

MEDIUM: 5.3CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Problem types

CWE-639: Authorization Bypass Through User-Controlled Key

Product status

Default status

unknown

Any version before 11.28.2.3955

affected

Credits

Zbigniew Piotrak (AFINE Team) finder

References

cert.pl/en/posts/2026/05/CVE-2026-40126/ third-party-advisory

www.outsystems.com/...MajorVersion=11&ComponentName=LifeTime product

cve.org (CVE-2026-40127)

nvd.nist.gov (CVE-2026-40127)

Download JSON