Home

Description

AFFiNE's histories GraphQL field fails to validate Doc.Read permission before exposing document edit history, allowing authenticated workspace members to retrieve restricted content timelines. Attackers can supply arbitrary document GUIDs to access full edit histories including user names, emails, and timestamps of private pages they lack access to.

PUBLISHED Reserved 2026-07-04 | Published 2026-07-08 | Updated 2026-07-08 | Assigner VulnCheck




HIGH: 7.1CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

MEDIUM: 6.5CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Problem types

Missing Authorization

Product status

Default status
affected

Any version before 0.26.3
affected

Any version
affected

Credits

George Chen reporter

References

github.com/toeverything/AFFiNE/issues/15179 exploit

github.com/toeverything/AFFiNE/issues/15179 (GitHub Issue) issue-tracking

github.com/toeverything/AFFiNE (Product) product

github.com/...ommit/1f0bcd01a37a522393fc1b288395e3a72a79ccad (Patch Commit) patch

www.vulncheck.com/...tory-access-via-graphql-histories-field third-party-advisory

cve.org (CVE-2026-59262)

nvd.nist.gov (CVE-2026-59262)

Download JSON