Home

Description

A weakness has been identified in mettle sendportal up to 3.0.1. Affected is the function destroy of the file app/Http/Controllers/Workspaces/WorkspaceInvitationsController.php of the component Invitation Handler. This manipulation of the argument invitation causes authorization bypass. The attack may be initiated remotely. The project was informed of the problem early through an issue report but has not responded yet.

PUBLISHED Reserved 2026-04-26 | Published 2026-04-27 | Updated 2026-04-29 | Assigner VulDB




MEDIUM: 5.3CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:L/SC:N/SI:N/SA:N/E:X
MEDIUM: 5.4CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L/E:X/RL:X/RC:R
MEDIUM: 5.4CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L/E:X/RL:X/RC:R
5.5AV:N/AC:L/Au:S/C:N/I:P/A:P/E:ND/RL:ND/RC:UR

Problem types

Authorization Bypass

Improper Authorization

Product status

3.0.0
affected

3.0.1
affected

Timeline

2026-04-26:Advisory disclosed
2026-04-26:VulDB entry created
2026-04-26:VulDB entry last update

Credits

B1scuit (VulDB User) reporter

VulDB CNA Team coordinator

References

vuldb.com/vuln/359744 (VDB-359744 | mettle sendportal Invitation WorkspaceInvitationsController.php destroy authorization) vdb-entry technical-description

vuldb.com/vuln/359744/cti (VDB-359744 | CTI Indicators (IOB, IOC, IOA)) signature permissions-required

vuldb.com/submit/801781 (Submit #801781 | mettle sendportal v3.0.1 Insecure direct object reference) third-party-advisory

github.com/mettle/sendportal/issues/337 issue-tracking

github.com/mettle/sendportal/ product

cve.org (CVE-2026-7145)

nvd.nist.gov (CVE-2026-7145)

Download JSON